[dns-operations] DNS flag day 2020: The OpenDNS/Cisco perspective
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Thu Feb 27 13:58:40 UTC 2020
Hello.
On 2/26/20 11:51 PM, Brian Somers wrote:
> - Servers (nameservers or resolvers) do their best to reply as asked
>
> The client wants the data and can decide on what risk the chosen
> bufsize implies in their environment. Servers can apply practical
> limits to bufsize to avoid large buffers or huge amplifications
> etc.
The client can limit the bufsize, but *if* something close to the client
is obstructing fragments (say in ISP's network), I believe this DNS
client typically isn't clever enough to "know/notice" and directly
request smaller bufsize. The RFC recommended default 4096, so it's not
surprising to often see that in practice. Here I think it will actually
help the reliability if the server caps the bufsize under 1.5k even if
its client signals that it can handle more.
Incidentally, I think that never sending RRSIGs in answers considerably
reduces the probability of fragmentation happening in real-life cases :-)
--Vladimir
More information about the dns-operations
mailing list