[DNSOP] avoiding fragmented DNS-over-UDP

Wed, 21 Mar 2018 09:10:59 -0700 

In the intarea meeting, there was some discussion of
"IP fragmentation considered fragile"
https://tools.ietf.org/html/draft-bonica-intarea-frag-fragile

That draft correctly calls out the DNS as particularly problematic wrt
fragmentation, so I think it might be worth writing a dnsop draft that
explains how to reduce the amount that the DNS causes fragmented packets
and relies on them working.

I think this draft should provide advice to implementers about how
their code should behave in its default configuration. I think a lot
of the advice should be basically writing down things that we (or some
of us) already know.

I don't know if we need different flavours of advice for stub -> recursive
and for recursive -> authoritative.

Here are some sketchy notes on what this might say...

* client side

    * implement PMTUD by probing with diferent EDNS buffer sizes

    * needs to be per-server

    * start with small buffer size and work upwards

    * probe sizes (not necessarily in this order)

        * 512
        * 1280 - tunnel headers
        * 1280
        * 1500 - tunnel headers
        * 1500
        * 4096

* server side

    * avoid putting too many records in a response

        * when the client has a small buffer size, try to avoid truncating

        * when the client has a large buffer size, still return a small
          sub-MTU response, e.g. with unilateral minimized responses,

    * does it make sense to provide partial glue instead of truncating,
      to avoid fallback to TCP?

    * does it make sense for a server to try to work out if the client is
      doing PMTUD, or is that too much complexity for too little benefit?

    * recommend minimal-any :-)

* security considerations

    * reflection / amplification ddos is bad, mmmkay?

    * risks of excess TC leading to overload

Tony.
-- 
f.anthony.n.finch  <[email protected]>  http://dotat.at/  -  I xn--zr8h punycode
South Utsire, Forties, Cromarty, Forth: Westerly or southwesterly, veering
northwesterly for a time, 5 to 7, decreasing 4 or 5 later. Slight or moderate
in Cromarty and Forth, otherwise moderate or rough. Occasional rain. Good,
occasionally poor.

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to