DNSOP WG, Paul Vixie and I submitted draft-ietf-dnsop-avoid-fragmentation-00. Please review it.
> https://tools.ietf.org/html/draft-ietf-dnsop-avoid-fragmentation-00 I may have some mistakes, I could not find links to show differences from draft-fujiwara-dnsop-avoid-fragmentation-03. Please see differences from this URL. https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-fujiwara-dnsop-avoid-fragmentation-03.txt&url2=https://tools.ietf.org/id/draft-ietf-dnsop-avoid-fragmentation-00.txt Differences from -03 to 00 are Added "DNSSEC is a countermeasure .." in Intro. Removed 7.2 DNS packet size. Moved details of Minimal-responses to appendix B Added reference to draft-ietf-tsvwg-datagram-plpmtud And more, we would like to make some changes in -01. * Adding new text in abstract. "EDNS0 enables a DNS server to send large responses using UDP and is widely deployed." * Change text related to TCP in Introduction because TCP changes MSS value to avoid IP fragmentation under ICMP NEEDFRAG attacks. OLD By comparison, TCP is considered resistant against IP fragmentation attacks because TCP has a 32-bit sequence number and 32-bit acknowledgment number in each segment. NEW By comparison, TCP protocol stack controls packet size and avoid IP fragmentation under ICMP NEEDFRAG attacks. In TCP, fragmentation should be avoided for performance reasons, whereas for UDP, fragmentation should be avoided for resiliency and authenticity reasons. * I would like to use "in-domain" (defined in RFC 8499) OLD: and in-zone and below-zone glue in the additional data section. NEW: and in-domain (in-zone and below-zone) glue in the additional data section. Regards, -- Kazunori Fujiwara, JPRS <[email protected]> > From: [email protected] > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the IETF. > > Title : Fragmentation Avoidance in DNS > Authors : Kazunori Fujiwara > Paul Vixie > Filename : draft-ietf-dnsop-avoid-fragmentation-00.txt > Pages : 10 > Date : 2020-06-30 > > Abstract: > Path MTU discovery remains widely undeployed due to security issues, > and IP fragmentation has exposed weaknesses in application protocols. > Currently, DNS is known to be the largest user of IP fragmentation. > It is possible to avoid IP fragmentation in DNS by limiting response > size where possible, and signaling the need to upgrade from UDP to > TCP transport where necessary. This document proposes to avoid IP > fragmentation in DNS. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-avoid-fragmentation-00 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
