> Large UDP packets (think EDNSO DNSSEC as a good example of large UDP
> packets almost certain to be fragmented) suffer the same problem, as
> they can be fragmented by PMTU discovery. The server (operating system)
> has to maintain UDP state for PMTUD to work. If the ICMP fragmentation
> needed is lost due to Anycast, PMTUD will fail. Lost UDP fragments are
> fatal to the UDP transaction.
Actually you just turn off PMTUD on replies. This is
recommended for *all* nameservers. It's pointless for
authoritative nameservers to maintain PMTU state and may
infact be a DoS vector if they do.
IPv4 - Don't set FD.
IPv6 - Fragment at the server at network MTU.
The socket option IPV6_USE_MIN_MTU was a direct consequence
of DNS operators looking at this issue over 10 years ago.
http://www3.tools.ietf.org/html/draft-ietf-ipngwg-bsd-frag-01
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
