On Mon, Jul 28, 2014 at 08:52:06AM -0400,
Fernando Gont <[email protected]> wrote
a message of 60 lines which said:
> Just curious: How do you check that the UDP-based DNS replies
> actually get to the node that sent the query?
1) Because, otherwise, we would see retransmissions by the client.
2) Because we tested from various places (see a trace attached).
3) Because nobody complained (the weakest argument...)
> How do you send responses larger than , say, ~1500 bytes without
> fragmentation?
I really did not understand your point at all: when you said
"extension headers", I did not think of fragmentation but of
Destination Options, things like that. I thought that your point was
that "extension headers do not work". So, your point is actually that
"fragmentation does not work"?
If so, there are other solutions such as decreasing the buffer size
of the server, under the MTU (.com name servers do it). This also
helps against amplification attacks.
% dig -6 @d.ext.nic.fr ANY fr
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -6 @d.ext.nic.fr ANY fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48851
;; flags: qr aa rd; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fr. IN ANY
;; ANSWER SECTION:
fr. 172800 IN SOA nsmaster.nic.fr. hostmaster.nic.fr. (
2222549502 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
3600000 ; expire (5 weeks 6 days 16 hours)
5400 ; minimum (1 hour 30 minutes)
)
fr. 0 IN RRSIG NSEC3PARAM 8 1 0 20140914071832 (
20140716071832 47116 fr.
frc2CPwNg8uhi79qD7HRRuLHHc9tBIUebEOOHxRqnq0H
v5hYZCxahoZ2ZyO4oIf4uqjAIrB3IF8YUdebujJkhYiZ
v0vcS5eHrnZRbWhn0tZEdxBYPaD51zGNrKENrQhdApbR
iWUVL9ZjkfOPKAHvtgvSlQlCUhDamxpvOkmeAFM= )
fr. 0 IN NSEC3PARAM 1 0 1 33629585
fr. 172800 IN RRSIG DNSKEY 8 1 172800 20140914071832 (
20140716071832 20122 fr.
V47KfKfpCkwh0oC13es9Tr/dqNrG63SRLyhWYdwDWTXH
+wRMQNrIXLDVWRk7ZqwFadYABP2ler5PTMQ7bM0sjMAa
NmPou3Pj+xOr7mT9MAvIXzVNKehETh4dN9MtlTzLLAmO
wCv9yBxby0197w+wDZYjkTTBMzVgXuUkj5ymWwENQmIU
F9fs6RuTRY9ZNweczjWMQmQDwL9FBgLOHtO3o7fmYMOR
3oSUlFpXvg1U4ou8z28euz7+hoX4N4rKClSzwzdkQSWj
es2nI+DB/QqhXAnkL0UxH3sYd953ejbzxAv8MtZG1up7
nNZb117VRmnL+eMe6AG0fuE/OSFaUBv6xw== )
fr. 172800 IN RRSIG DNSKEY 8 1 172800 20140914071832 (
20140716071832 47116 fr.
e1Yka0xOaumQgPgyvwhjlYxVTre+m1b9KmM1jvCyT0HV
g80llLLzZVq8Ndj/iR+UXH7Ba2VxMZ47WhzdnQ67s/QR
cVcXDNILHdurIurPiIpqZuixI3s+nylWYRhUpzaznIKH
BznIXCgqIOVFnVowFaBMUvnMiSW2/yvv2jiPtxg= )
fr. 172800 IN DNSKEY 257 3 8 (
AwEAAa2sILZ4XD/QqobSU6NKFRzXwBV3OpHn21LWcGgz
84+g9emlizfjWv51lwsERFSgK+AqmKpYegptTY/PQJrg
rCAvOEoQBZi3WvnjZFmMvqnZpeFlymIAiRgfAsHdF+Nx
o/5eItUoJv3YjquFXcSQXpZJz5w6S/I2n+7W44GuWv3A
iNuVJNG6qsy7sEZRc2SpOgM8RPtAQpwcA+YHPuMdIdba
O7BEzlnmUN6bOSguVRz1SQR6+5xcLciZ264+whSTKtOy
fjLvrrbTyZtXu8s++5xJkDQ8U/yUpBbtNaUVtlKeLFTe
Ad8K6xd3ggAR2qLvUMp2XZYBBKF7Lfwn6fcEq6E=
) ; key id = 20122
fr. 172800 IN DNSKEY 256 3 8 (
AwEAAbSTCfGdqPiLkqwzc1MTj0lpXSTS0yKfhgeRXeaO
VmDCzSJ2Xo4pWb0ByV6OA9qefTriLiwvXCiPnh3l9rEd
T6qBo5AqnMaFhM723DebNr1BVLSZcZP5hadMLTMFexLH
+ysquEbPgszN5ZqXTLtcuA9B0wmuX8a/66qq6xUIDq51
) ; key id = 63211
fr. 172800 IN DNSKEY 256 3 8 (
AwEAAaxxBitg7Axk/Ra7HliE/AFvaGqZ49qMpQDPB/lo
Ba2/VuswG3IrDqnWzkV/Gdex6MoIFEf9ty6yfdPhwdOh
T9sr8auuN/BxMhB0pd7ZkZYYaVzDxN9Zl0k/90BmCNuh
9+YyoHpWT49Qz+xInQXKIvkgFAeEDTlqcMf75MgSLJBf
) ; key id = 11353
fr. 172800 IN DNSKEY 256 3 8 (
AwEAAZoFNhNbJMFFKT757RrCsiJWRSDTnhD+F0rsMdWq
kSpWxKdCtfxdA8zy2fzKTLYQThN++PLSjYVJx7SazJAM
xIvU9N+IfvWokYmJC7amKrVPQfcZkdCbiN4b//aMmokU
PV3iNAyzJR0tpoDIve7rTu0OTGtRhveJPuQg5zkG9VFh
) ; key id = 47116
fr. 172800 IN RRSIG NAPTR 8 1 172800 20140914071832 (
20140716071832 47116 fr.
KUR7+TrvP0Lpx9yec9qHyJt2BSuKwe9TrTn2yNxqJodu
0UQzXJlVZ461kVWudqxmIsjnuz1oHx/rAb3GSJJfa1dL
07GduJBJu840+FPeQNDkirTnHX18qzXLi/Vq41cprHX/
2Ze5pnUfeYX9zRv+2mGXKZ8MZne14H+72x7iqQ8= )
fr. 172800 IN NAPTR 100 10 "s" "DCHK1:iris.lwz" ""
_iris-lwz._udp.fr.
fr. 172800 IN RRSIG TXT 8 1 172800 20140926152016 (
20140728142016 47116 fr.
G+VOyC/P62WeBZ6gx2RstYNfsaPgF73tR3gOWPX/PAlS
NjUvxe+ZKH7W58l00+m3LuHrijp0THw4TXddm6IFOFs8
iabNXxqcgnHCgRD3+NoPWX86C7L/DOvAefZFNhc7aL5k
OTrkaXx9gJhXroq/+UHVsICZase+0twH9JncT/I= )
fr. 172800 IN TXT "89 RRs processed [28/07/2014 17H20:13]"
fr. 172800 IN RRSIG NS 8 1 172800 20140914071832 (
20140716071832 47116 fr.
CY/u5gHzviK94mKIt5dx+qIFjjt4jWzPfVo2ldTFchZI
BaSBniwsqInCI5DQBfEinI1QkNGTfxyad8aOkvbFgDWv
UT8hFJ3UuM3846xXl7CH5ssjivUQklb7h9U8KYAixuNM
+cy9PBLm4Wr997oqx68FeaBUNOTEVtyZfySDuLI= )
fr. 172800 IN NS d.ext.nic.fr.
fr. 172800 IN NS f.ext.nic.fr.
fr. 172800 IN NS g.ext.nic.fr.
fr. 172800 IN NS e.ext.nic.fr.
fr. 172800 IN NS d.nic.fr.
fr. 172800 IN RRSIG SOA 8 1 172800 20140926152016 (
20140728142016 47116 fr.
WIYAH+TZ+WRBp3g/wuNCvPME46Zc3j9Sv55pYTflHUbu
p/MDgdtVn3ps4C8w9WIj6fTwwi/SqQBGBNJMgHZ8BVqg
n0SZPdxicRPiit7fOYZ+tP640TyNygM8ejRhNReBY0ip
+xKllb0zN8XxQU3P3T6PjhtraxorpgpzI1nKFh4= )
;; ADDITIONAL SECTION:
_iris-lwz._udp.fr. 172800 IN RRSIG SRV 8 3 172800 20140914071832 (
20140716071832 47116 fr.
K+3NGWDs9ucdp6K/cXJY3CNDGJJ5MdIvIGccj7rrWdbY
lTU2CBaQ0vj2FUsmQrHagDPg1LdfSuE5gi5dYP8fG1YO
MFG8KjujJ5Pbata0p1q2Hpbsakr/I4JKQKrAwND/ceOG
VK8987LCN7RQvdAxiFegXf/oxK+XqUAy6AlhQW4= )
_iris-lwz._udp.fr. 172800 IN SRV 0 0 715 dchk.nic.fr.
;; Query time: 72 msec
;; SERVER: 2001:500:2e::2#53(2001:500:2e::2)
;; WHEN: Mon Jul 28 17:30:27 2014
;; MSG SIZE rcvd: 2475
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
