[dns-operations] [Ext] DNS Flag Day 2020 will become effective on 2020-10-01
Mark Andrews
marka at isc.org
Fri Sep 18 00:46:34 UTC 2020
All,
Unless you are about to initiate a zone transfer or a nailed up TCP query
connection, DNS clients should be setting a MSS size that prevents PTB generation.
There just isn’t enough traffic in a DNS query to warrant performing PMTUD.
The previous MTU options should both cause the kernel initiate MSS negotiations
that prevent PTB responses (TCP is supposed to pay attention to these options as
they adjust the effective MTU of the interface, FreeBSD got this wrong for a while
but have now fixed the issue). That said you can also use setsockopt with
IPPROTO_TCP/TCP_MAXSEG prior to connect to set the MSS size offered (there are
some old stacks that get this wrong).
Mark
> On 18 Sep 2020, at 10:13, Tony Finch <dot at dotat.at> wrote:
>
> Paul Vixie <paul at redbarn.org> wrote:
>>
>> happily, that's not known about PLPMTUD (RFC 8899 & 8900). so right now
>> there's new hope, yet undashed.
>
> I'm trying to understand how PLPMTUD can help the DNS.
>
> The DNS doesn't have a paketization layer as such - any time the DNS needs
> to get a big message over a pipe that's too narrow, we get TC and fallback
> to TCP which does the packetization for us.
>
> My very superficial understanding is that PLPMTUD is based on
> application-level probe / timeout / retry instead of ICMP errors. DNS
> resolver implementations have machinery to probe the largest working EDNS
> buffer size, so we already have something in the same ballpark as PLPMTUD.
>
> For me the questions are:
>
> * what's the hard ceiling on a resolver's EDNS buffer size?
>
> * what's a resolver's starting probe buffer size?
>
> * how complicated is the resolver's probe algorithm?
>
> * what's the ceiling on an auth server's UDP response size?
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> Dover, Wight: Northeast 5 to 7. Moderate. Fair. Good.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list