22 Čen
2016
22 Čen
'16
11:38
On 21/06/16 13:55, Jan Včelák wrote:
Hi Jan,
This setting is useful to operators who wish to emit large DNS UDP
responses over IPv6, and have them fragmented at 1280 bytes. Sure,
fragments have their own issues, and are blocked in many places, but an
operator should be allowed to make this decision.
If it were me, I would instead use the "max-udp-payload" option, set to
1280, so that Knot emits responses with TC set. This may cause some
clients to retry over TCP. But one missing feature in Knot is that it
doesn't allow tuning of the EDNS payload separately for IPv4 and IPv6.
It might be useful to have "max-udp-payload-ipv4" and
"max-udp-payload-ipv6" options for setting this separately, because IPv4
and IPv6 behaviours are different.
Regards,
Anand
there has been a request in our issue tracker [1], to
enable
IPV6_USE_MIN_MTU socket option [2] for IPv6 UDP sockets in Knot DNS.
This option makes the operating system to send the responses with a
maximal fragment size of 1280 bytes (minimal MTU size required by IPv6
specification).
The reasoning is based on the draft by Mark Andrews from 2012 [3]. I
wonder if the reasoning is still valid in 2016. And I'm afraid that
enabling this option could enlarge the window for possible DNS cache
poisoning attacks.
We would appreciate any feedback on your operational experience with DNS
on IPv6 related to packet fragmentation.