[dns-operations] FlagDay 2020 UDP Size (ofda.gov breakage)

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Aug 8 04:11:51 UTC 2020


On Wed, Aug 05, 2020 at 12:53:17PM +0200, Petr Špaček wrote:

> It is way easier to test if "TCP works for all auths for a given
> domain" than to test if "IP fragments can traverse all relevant paths
> over the Internet for all relevant answer sizes". The second option is
> just infeasible/madness.
> 
> Once we get TCP working we do not need to worry that too small EDNS
> buffer will break something, it only might make things less
> effective...

FWIW, another data point on UDP buffer sizes, the ofda.gov nameservers
do not appear to be willing to truncate UDP answers to the client's
requested buffer size:

    $ dig +bufsize=1200 +norecur +dnssec -t tlsa _25._tcp.dc4vasmtp01.ofda.gov @ns01.ofda.gov

returns no answer at all (for any buffer size less than the full 1563
byte answer).  So, while TCP actually works if used directly, there is
no TCP fallback since no UDP packets are returned with TC=1. :-(

-- 
    Viktor.



More information about the dns-operations mailing list