[dns-operations] DNS flag day 2020: The OpenDNS/Cisco perspective

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Thu Feb 27 13:58:40 UTC 2020


On 2/26/20 11:51 PM, Brian Somers wrote:
> - Servers (nameservers or resolvers) do their best to reply as asked
>   The client wants the data and can decide on what risk the chosen
>   bufsize implies in their environment.  Servers can apply practical
>   limits to bufsize to avoid large buffers or huge amplifications
>   etc.

The client can limit the bufsize, but *if* something close to the client
is obstructing fragments (say in ISP's network), I believe this DNS
client typically isn't clever enough to "know/notice" and directly
request smaller bufsize.  The RFC recommended default 4096, so it's not
surprising to often see that in practice.  Here I think it will actually
help the reliability if the server caps the bufsize under 1.5k even if
its client signals that it can handle more.

Incidentally, I think that never sending RRSIGs in answers considerably
reduces the probability of fragmentation happening in real-life cases :-)


More information about the dns-operations mailing list