-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi David,
On 07/28/2014 04:05 PM, David Conrad wrote: > Hi, > > On Jul 28, 2014, at 5:48 AM, Nicholas Weaver > <nwea...@icsi.berkeley.edu> wrote: >> The IPv6 net has decreed “No, really, FRAGMENTS DO NOT WORK”. > > This could be a bit of an issue when the DNSSEC root key is rolled. > Could someone point me to a writeup and/or data as to how we know > the above decree? (I'm not disagreeing, I just haven't really been > following this for a while). > >> The solution is to detect and fallback on EDNS0 MTU to retry at >> 1400B first (rather than directly down to 512b), and properly >> handle truncation. > > How many shipping resolvers actually do this? Unbound implements this. Since version 1.4.19 (dec 2012) at sizes 1472 and 1232. Earlier it also did this in version 1.4.14 (dec 2011) at sizes of 1480 and 1260 (but those are slightly wrong and that could cause issues if the 1480-response has a size 1472..1480). The logic in these versions is: if there is a timeout on EDNS0-4096 then retry with the 1400 version. Handle truncation with TCP. Like Nicholas suggests above. There is more logic that eventually falls back to non-EDNS (and the non-EDNS-ness is cached) but that is not pertinent to your question. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJT12KCAAoJEJ9vHC1+BF+NLsUP/iGjbFJ/FzfnteLscxIYMXMj 0hoY9z6NfmO4YVr0Cp2RgyzyDKRQDxSB1DZzzYy3ohjmuxsIczPjEnz7w2zFtZm3 bYAD5quK4abHJP975bHigTbY8X6EvnS9dqFsx5aca1ABw1FIapo4eIEvHzIh42Sx RCAITFbPeZYXs3xM/mE+5S63sjpXm3UOyxrQA+ie1k5yfU6KXVYN9IV8aP1cRq6L PtQlXdvvslc6cGw9nElUnmJWz1w3/RM6CPDs+lHR1EBWgusomNJbW+CLjm238xLx /bQWTLUvmIo3nzsFIcfseRNfmUkbQtc1SSEwXaCibgeIAMUy9SyXFETLqVP3srS2 8NCpA888838pSFUEP0mgUK1n/lICWcKdYUMpgwYsMbv+zqH9SHXLUtY7vTtwQgM0 QOxY+BV5h1zGVrMnzXSzKbnkYKuPt6joSW/AEwvgU6O/+YDYUfoxNJdVq7BN0mcG g2qV1bdpMNpwG8zcOotRkz0aRaesZO2MAyTTmjEyrRHuxVAoi1CWVA3YEuSDz5Q/ iY6RX+QqN3jElLBPsJSqLBv0FoVNh0gOJUnjaoUnq8BlfC1vu+Z8//8aWOtPz+sH 2nOyYITwyGTo7hCAH/PM51VqkFywe9Bj8d9ZZbIiN+SnlktzGD4b9Usw7P6qC4ly epVir7Em3VEg9sM/ALom =sgn7 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
