[dns-operations] [Ext] DNS Flag Day 2020 will become effective on 2020-10-01

Brian Somers bsomers at opendns.com
Wed Sep 16 01:57:14 UTC 2020


On Sep 11, 2020, at 1:24 PM, Brian Dickson <brian.peter.dickson at gmail.com> wrote:
> 
> In short: I would be perfectly okay if the recommendation were ONLY for the authority (and server side of resolvers) to lower their default configured UDP bufsizes, at which point having a range of recommended values (rather than a single value) would be more appropriate.
> Server-side defaults can have their values changed (overridden) by config changes, but that ONLY has effect if the clients are NOT ALSO implementing the SAME values.
> 
> That's the problem: EDNS0 UDP Bufsize negotiation allows different values to be configured/offered, and uses the MINIMUM value. If both ends have their defaults lowered, and that causes a problem, it CANNOT be fixed unilaterally.

FWIW I agree with this argument - the fact that there are two configured                                                                      
bufsize values is very important, perhaps more so in the OpenDNS case
than elsewhere due to our DNSCrypt traffic.  However, I would argue that
the reduced number (whether it’s 1232, 1400 or 1452) should be chosen
by the requestor.

My argument goes something like this.  When a DNS request is sent,    
the client (whether a stub or a resolver) is the most qualified to     
know specifics about the “connection” and is also the target of                                               
fragmentation attacks.  If the client has a "secure path” to the 
server (DNSCrypt, DNSCurve, DTLS, a VPN, localhost), a value of 4096 is
a great choice.  If a client is a stub inside a complicated enterprise  
network where VLANs and tunnels and [other stuff] are in effect, 1232   
might be appropriate.  If a client has an unfettered Internet connection,
a value of of 1452 might be better.  Playing into this, a client might
also decide to drop fragments (because they’re just too dangerous)
and might want to use 1232 “just in case”.

All of these decisions are client decisions.  Should the server ever
decide?  I don’t know of any use case where it should, other than to
limit abuse (amplification attacks).

IMHO a default request bufsize of 1500 or less (1400 seems popular)                   
would serve the DNS community best, leaving the default response bufsize                                    
at 4096 (is that the usual value?).

—
Brian



More information about the dns-operations mailing list