On 6/21/13 10:03 AM, Ray Hunter wrote:
I have also read this draft.
It mentions that DNSSEC will be impacted.
What's the alternative if DNSSEC can't send multiple UDP fragments?
so I'm pretty sure I don't want to expose myself to really big replies
because that pushed the opportunity to amplify considerably.
so EDNS0 limited to ~1420 or ~1280 I could probably live with.
Isn't expecting a busy DNS server to maintain TCP session state for
every single query going to be prohibitively expensive?
handshakes are expensive yes, and imho signficant effort should be
engaged in to avoid that.
Leading to even bigger DoS worries than fragmentation apparently causes?
The cost shifts. I'm not that excited about making connections over TCP
unless I have to.
Isn't using TCP for all DNS queries going to considerably slow down the
name resolution process, which will impact all applications?
(multiple RTT for the connection establishment and teardown if you clean
up properly)
Since PMTUD is also currently pretty broken in practice, also due to
"Operator Behavior" and filtering of ICMPv6 in firewalls, doesn't this
memo effectively state that IPv6 = 1280 octets?
So, I'm not willing to throw up my hands in despair over PMTUD yet.
there are certianly cases where it doesn't work. they're a little less
chronic then not being able to find the L4 header.
regards,
RayH
Ronald Bonica wrote:
Hi Tassos,
Thanks for reviewing the draft. Could you provide more detail on what is
missing?
Ron
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
