I doubt that small difference matters. 1280 or 1232 is almost the same. It is about the smallest packet supported by IPv6. I think size 1232 was invented by more or less sophisticated guessing. I am not sure this is required to be exactly this value. I would leave it at the current value unless we know a case where it is insufficient.
Cheers, Petr On 1/9/22 11:06, Dominik Derigs wrote: > Hey Simon, > > Minimum safe size is recommended to be 1232. See > https://dnsflagday.net/2020/, relevant parts below: > >> This year, we are focusing on problems with IP fragmentation of > DNS packets. >> IP fragmentation is unreliable on the Internet today, and can > cause transmission failures when large DNS messages are sent via > UDP. Even when fragmentation does work, it may not be secure; it > is theoretically possible to spoof parts of a fragmented DNS > message, without easy detection at the receiving end. >> - Bonica R. et al, “IP Fragmentation Considered Fragile”, Work > in Progress, July 2018 >> - Huston G., “IPv6, Large UDP Packets and the DNS”, August 2017 >> - Fujiwara K., “Measures against cache poisoning attacks using > IP fragmentation in DNS”, May 2019 >> - Fujiwara K. et al, “Avoid IP fragmentation in DNS”, September > 2019 >> Recently, there was an paper and presentation Defragmenting DNS > - Determining the optimal maximum UDP response size for DNS by > Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet > Labs that explored the real world data using the RIPE Atlas > probes and the researchers suggested different values for IPv4 > and IPv6 and in different scenarios. This is practical for the > server operators that know their environment, and **the defaults > in the DNS software should reflect the minimum safe size which is > 1232.** > > This PR reduces the minimum safe size to said 1232 bytes. > Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ` > (currently `4096`) to ensure fragmentation will never happen, but > I don't think we really want to do this given the steady growth > in DNSSEC-enabled zones (see trend graphs on > https://stats.dnssec-tools.org). > > Best, > Dominik -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
