[dns-operations] DNS Flag Day 2020

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Feb 8 07:33:01 UTC 2020


On Fri, Feb 07, 2020 at 10:09:08AM -0500, Alexander Dupuy wrote:

> In our analysis of the impact on Google Public DNS if it limits EDNS UDP
> buffer size to 1232 for all queries, we identified common types of affected
> queries/responses and hope to share statistics on their frequency in our
> authoritative name server query logs, as the data may be of interest to
> others.
> 
> We're also looking for other ways to share aggregated versions of DNS Flag
> Day 2020 impact data. In particular, we are looking for a Flag Day
> participant interested in applying this data to enhance the
> https://dnsflagday.net/2020/#how-to-test authoritative DNS checker.

One of the topics covered there, is how to configure various resolvers
to set the EDNS buffer size to 1232.  I use unbound, which only serves
the loopback interface and my local LAN, but obviously originally
obtains answers from the world at large.

Unfortunately, I don't see a way to separately configure the *upstream*
and *downstream* EDNS buffer sizes.

On the loopback interface and local LAN I'd ideally like to have an 8KB
buffer size, there's no reason to force TCP fallback.  And yet, upstream
in queries to remote domains, especially over IPv6, I'd like to set a
more conservative value, e.g. 1232, but perhaps closer to 1400 for IPv4
if that were possible.

I don't think unbound currently has configuration options to make that
possible.  In the full list of advice I see:

  - Two resolvers that seem to support separate downstream vs. upstream
    buffer sizes:

        PowerDNS Recursor
            edns-outgoing-bufsize=1232
            udp-truncation-threshold=1232

        BIND
            options {
              edns-udp-size 1232;       -- upstream I think...
              max-udp-size 1232;        -- downstream I think...
            };

  - One that supports separate IPv4 vs. IPv6 settings:

        NSD
            server:
              ipv4-edns-size: 1232
              ipv6-edns-size: 1232

  - And two with apparently just a single parameter:

        Knot Resolver
            net.bufsize(1232)

        Unbound
            server:
              edns-buffer-size: 1232

I"d like to recommend a more uniform approach, with separately
configurable upstream and downstream settings for both IPv4 and IPv6.

-- 
    Viktor.



More information about the dns-operations mailing list