In message <[email protected]>, Masataka Ohta writes: > Mark Andrews wrote: > > >>> So? Fragmented packets *do* get through the network. Where > >>> they don't it slows up DNS resolution and the firewall usually > >>> gets fixed to allow fragments. > >> > >> Yes, hopefully within a decade or two, some firewall maybe fixed. > >> So? > > > > Actually the firewalls get fixed pretty quickly in most cases. > > If you are thinking of ideal world with relatively new firewalls, > maybe. > > The problem is that, in the real world, there are a lot of > firewalls with maintenance period expired.
Well most of the one with DNS/UDP size limits have configuration options to turn the check off. For those that don't DNS and DNSSEC will still operate through them > >> But, even today, how much, in your opinion, is the assured-to-be- > >> safe DNS message size over IPv6 with 1280B of MTU? > > > > Well we have space for around 700 bytes of additional header space > > before EDNS@512 will fail due to fragments being dropped. Now I'm > > sure one could artificially consume those 700 bytes but for the > > moment I'm not worried. > > You haven't answered my question. > > How much, in your opinion, is the assured-to-be-safe DNS message > size over IPv6 with 1280B of MTU? If you have idiotic software adding idiotic amounts of headers it will break both TCP and UDP and someone will then fix the problem. > Without such size, statements like: > > > BIND 9.10 changes the first state to do variable-size probing: it > > will try 512, 1232, 1432, and 4096, starting at the bottom and > > working up and down depending on what works. The middle numbers come > > from the minimum IPv6 MTU minus space for headers, and the ethernet > > MTU minus v4 and v6 headers to allow for tunneling. > > can not be made. The sizes were chosen to allow v4-in-v6 and v6-in-v4 to pass. If other headers become common we can add more break points. The lower bound will remain 512 bytes. > Masataka Ohta > > PS > > It should be noted that my modest proposal to have some > (e.g. 256B) reasonable limit on the extension header > length with an explanation that applications such as DNS > need some limit was formally rejected by IPv6 WG (in > Danvers meeting in 1995, IIRC) that you should expect > more. And 256B is better than 257B how? People will still only add headers if the resulting packet get through or they will come up with a different solution. You don't need a fixed limit. You just need to depend upon self interest prevailing. > IPv6 is produced by collective stupidity. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
