[dns-operations] For darpa.mil, EDNS buffer == 1232 is *too small*. :-(
petr.spacek at nic.cz
Tue Apr 21 07:57:27 UTC 2020
On 21. 04. 20 9:00, Paul Vixie wrote:
> On Tuesday, 21 April 2020 06:20:04 UTC Petr Špaček wrote:
>> On 20. 04. 20 22:22, Viktor Dukhovni wrote:
>>> On Mon, Apr 20, 2020 at 12:52:49PM -0700, Brian Somers wrote:
>>>> At Cisco we allow up to 1410 bytes upstream and drop fragments. We
>>>> prefer IPv6 addresses when talking to authorities. We’ve been doing
>>>> this for years (except for a period between Feb 2019 and Aug 2019).
>>>> Zero customer complaints.>
>>> So perhaps the advice to default to 1232 should be revised:
>> Please let's not jump to conclusions, especially because of single anecdote.
> my own anecdotes are not singular, but your point is taken.
>> As Knot Resolver developer I counter with another anecdote:
>> We have experience with networks where ~ 1300 buffer was workable minimum
>> and 1400 was already too much.
> i hope you can say much more than this, about that.
Unfortunatelly I can't, we never got to the root cause.
It is the same story again and again:
Probably one of ISPs in chain on the affected link was doing weird stuff with big packets. We as Knot Resolver developers were not "their customer" but merely "supplier of their customer" so they refused to talk to us, and their actual customer lost interest as soon as it started to work reliably for them. That's all we have, i.e. nothing.
>> As for OpenDNS experience - I'm hesistant to generalize. According to
>> 20200201_DNSSEC_Recursive_Resolution_From_the_Ground_Up.pptx DO bit is sent
>> out only since Sep'2018, and presumably from resolvers in data centers.
> i understood the opendns team to say that they also used 1410 as the maximum
> buffer size in responding to downstream queries. perhaps they can expand here.
>> Results would be very different for recursive resolver deployment deep in
>> corporate networks/on the last mile.
> that statement stretches the verb "would" too far. did you mean "could"?
No, I did mean "would":
- OpenDNS's experience says that in data centers 1410 works.
- Our experience says that outside of data centers 1410 does not always work.
> think we can learn a lot from authoritative responses (how many are followed
> by retries or TCP or a complaint?) and recursive responses (same question).
>> DNS-over-TCP is mandatory to implement so please let's stop working it
> +1. no part of this debate is for me an argument against mandated TCP and
> recommended DoT. those should be assumed on all timelines. however, that does
> not justify an arbitrary maximum response buffer size such as 1232. all of the
> math that leads to 1232 is unsuitable for DNS's use.
Let's be precise here. The proposal on the table is to change _default values in configuration_.
Nobody is proposing to impose "arbitrary maximum response buffer size" and weld it onto DNS software. Vendors are simply looking for defaults which work for them and their customer/user base.
Petr Špaček @ CZ.NIC
More information about the dns-operations