Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
* Hannes Frederic Sowa: On Tue, Sep 23, 2014, at 23:41, Mark Andrews wrote: As for atomic fragments, it is a seperate issue out of control of the nameserver. Because of a possible DoS vector atomic fragments will be deprecated soon: http://tools.ietf.org/html/draft-gont-6man-deprecate-atomfrag-generation-00 Not too surprisingly, this issue was already discussed before RFC 6946 was published, and several participants recommended to abolish atomic fragments for various reasons, including denial-of-service issues. At least it's finally getting fixed. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Tue, Sep 23, 2014, at 23:41, Mark Andrews wrote: As for atomic fragments, it is a seperate issue out of control of the nameserver. Because of a possible DoS vector atomic fragments will be deprecated soon: http://tools.ietf.org/html/draft-gont-6man-deprecate-atomfrag-generation-00 Bye, Hannes ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 23, 2014, at 2:34 PM, Roland Dobbins rdobb...@arbor.net wrote: On Sep 24, 2014, at 12:16 AM, Florian Weimer f...@deneb.enyo.de wrote: Fragmentation in IPv4 is inherently insecure. Conceptually, yes, it's a Very Bad Idea. But given the realities of the TCP/IP we have, it's important that network operators understand that they can't filter out non-initial fragments, or they'll break the Internet for their customers. But what about the customers that use recursive nameservers, does it make sense for them to block fragments at the edge and even on the other side of the link at the edge? signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 25, 2014, at 1:46 AM, Franck Martin fmar...@linkedin.com wrote: But what about the customers that use recursive nameservers, does it make sense for them to block fragments at the edge and even on the other side of the link at the edge? No, no, no. They'll break the Internet if they do that. My point was in response to Florian's - Florian is right that conceptually, fragmentation as it was implemented is a bag of hurt. But with the TCP/IP we have, we *must* allow fragments through, or we break the Internet. --- Roland Dobbins rdobb...@arbor.net ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
Under the context of this discussion, I want to ask a question about DNS UDP size in IPv4/IPv6. I read SAC-035 about a test on Broadband Routers and Firewalls. There are 27% DNS proxy still can not pass the packets larger than 512. I don't konw whether it will be overcame by using IPv6 for transportation. On the specification, IPv6 MTU is 1280 which gives a relief to that constrain. Some body may say the enlargement of IPv6 MTU is trivial and do not do much help to the EDNS0 efficiency ( more large packets 1280). But I have argument that the enlargement to 1280-1500 is vital and enough for the case of priming exchange and DNSSEC. To defend my point, I need some data and experience from dual stack DNS operators who may compare the IPv4 and IPv6 DNS operation before. Do you guys have any idea or pointers to related documents? Thank you in advance. Davey On Sat, Sep 13, 2014 at 5:37 PM, Franck Martin fmar...@linkedin.com wrote: I’m trying to figure out EDNS with UDP fragmentation on both IPv4 and IPv6 network. My understanding is that UDP fragmentation is something frown upon in IPv4 and even more on IPv6 (because of processing power needed, and security concerns)? What is the recommended setup for EDNS? -limit size to 1500? on both IPv4 and IPv6? -allow UDP fragmentation on IPv4 and IPv6, how securely? How does that play with DNSSEC large data records? I have seen that with some low TTL, bind tends not to fallback (from 4096 to 512) fast enough often to return an answer within the time allocated. Any good documentation, pointers? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sat, Sep 13, 2014 at 09:37:52AM +, Franck Martin fmar...@linkedin.com wrote a message of 61 lines which said: -limit size to 1500? on both IPv4 and IPv6? It may be interesting against amplification attacks (although it seems everyone moved to NTP amplification attacks, abandoning the DNS). For fragmentation, I would not care, as explained here. On an authoritative name server, you know the response sizes (use DSC to see it). DNSKEY responses are typically the largest. Check it before decreasing the limit. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 15, 2014, at 3:25 PM, Stephane Bortzmeyer bortzme...@nic.fr wrote: It may be interesting against amplification attacks (although it seems everyone moved to NTP amplification attacks, abandoning the DNS). Actually, this isn't really what we're seeing - ntp and SSDP and SNMP and chargen and tftp reflection/amplification attacks are all taking place *alongside* DNS reflection/amplification attacks, rather than supplanting them. We sometimes see DNS reflection/amplification attacks mixed with ntp or SSDP in multi-vector reflection/amplification attacks, mainly in the gaming space. Differing communities of 'interest', IMHO. -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 15, 2014, at 5:52 PM, Tony Finch d...@dotat.at wrote: That is, you need to limit the size of response that you send (max-udp-size in BIND terms). Do you recommend that it be lowered to 1280 or thereabouts for IPv6? -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 15, 2014, at 5:52 PM, Tony Finch d...@dotat.at wrote: max-udp-size in BIND terms btw, my impression is that the OP was asking about network policies, not DNS server settings - correction welcome if this wasn't the case. -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
In message 3cb37b5b-fa6c-42f7-8ccf-7eb40ae29...@arbor.net, Roland Dobbins wri tes: On Sep 13, 2014, at 6:58 PM, Mark Andrews ma...@isc.org wrote: But do force IPv6 to fragment at 1280. This advoids PMTUD. Personally, I'd rather see pressure on networks to do The Right Thing in te= rms of ICMPv6 . . . ; PMTUD for DNS/UDP is a pain in the butt. Even if you get a PTB message you do not have the data to resend the packet with a different fragmentation point. This is why the precurser to IPV6_USE_MIN_MTU was invented back in the 1990's. Some data streams work with PMTUD and some don't. This is also the same reason that with IPv4 that PMTUD is only supposed to be on by default for TCP and not for anything else. Named also tries to disable PMTUD for IPv4 when the stack mis-implements PMTUD. DNS/TCP doesn't have this issue but there is no real benefit, except maybe for large zone transfers, in trying to find the biggest path MTU when 1280 is quite acceptable for DNS/TCP. The occasional extra packet on a DNS/TCP transaction is not harmful in the great scheme of things. This isn't about getting the network to do the right thing as much as it should. It is about PMTUD being a bad fit for DNS. Mark -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laoco=F6n ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
I’m trying to figure out EDNS with UDP fragmentation on both IPv4 and IPv6 network. My understanding is that UDP fragmentation is something frown upon in IPv4 and even more on IPv6 (because of processing power needed, and security concerns)? What is the recommended setup for EDNS? -limit size to 1500? on both IPv4 and IPv6? -allow UDP fragmentation on IPv4 and IPv6, how securely? How does that play with DNSSEC large data records? I have seen that with some low TTL, bind tends not to fallback (from 4096 to 512) fast enough often to return an answer within the time allocated. Any good documentation, pointers? signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 13, 2014, at 4:37 PM, Franck Martin fmar...@linkedin.com wrote: My understanding is that UDP fragmentation is something frown upon in IPv4 and even more on IPv6 (because of processing power needed, and security concerns)? No. IP fragmentation is a normal part of TCP/IP communications across the Internet. It isn't something to actively wish for, but it's perfectly normal. -limit size to 1500? on both IPv4 and IPv6? No. -allow UDP fragmentation on IPv4 and IPv6, how securely? Yes, allow it; there's no security issue. This is a myth originating with clueless vendors in the mid-1990s, and propagated today Confused Information Systems Security Professionals (CISSPs) and their ilk. Any good documentation, pointers? Slide 153 of this deck: https://app.box.com/s/r7an1moswtc7ce58f8gg -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
In message 5dd7f8ba-adb7-4132-9672-7fe53174e...@arbor.net, Roland Dobbins wri tes: On Sep 13, 2014, at 4:37 PM, Franck Martin fmar...@linkedin.com wrote: My understanding is that UDP fragmentation is something frown upon in IPv4 and even more on IPv6 (because of processing power needed, and security concerns)? No. IP fragmentation is a normal part of TCP/IP communications across the Internet. It isn't something to actively wish for, but it's perfectly normal. -limit size to 1500? on both IPv4 and IPv6? No. But do force IPv6 to fragment at 1280. This advoids PMTUD. -allow UDP fragmentation on IPv4 and IPv6, how securely? Yes, allow it; there's no security issue. This is a myth originating with clueless vendors in the mid-1990s, and propagated today Confused Information Systems Security Professionals (CISSPs) and their ilk. Any good documentation, pointers? Slide 153 of this deck: https://app.box.com/s/r7an1moswtc7ce58f8gg -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoon -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On 13 September 2014 06:24, Roland Dobbins rdobb...@arbor.net wrote: No. IP fragmentation is a normal part of TCP/IP communications across the Internet. It isn't something to actively wish for, but it's perfectly normal. Google Fragmentation Considered Harmful - nothing significant has changed in the decades that have passed. I still wouldn't turn it off, but there are issues you should be aware of. Yes, allow it; there's no security issue. This is a myth originating with clueless vendors in the mid-1990s, and propagated today Confused Information Systems Security Professionals (CISSPs) and their ilk. In the 1990s fragmentation-based attacks against IP stacks were very real, it took a long time for vendors to fix their stacks completely, and longer to get fixes deployed; we didn't have the patch everything monthly culture firmly established yet. I agree that I wouldn't worry too much about the *security* of IP fragmentation today, but back then it was not a myth. [ get off my lawn ;) ] -- Harald ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 13, 2014, at 6:58 PM, Mark Andrews ma...@isc.org wrote: But do force IPv6 to fragment at 1280. This advoids PMTUD. Personally, I'd rather see pressure on networks to do The Right Thing in terms of ICMPv6 . . . ; -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs