* W. C. A. Wijngaards: > Commonly, people block ICMP, and over IPv6 this blocks fragments because > ICMP PMTU Discovery ICMP messages need to traverse the firewall. Some > firewalls do not support UDP-connection-tracking with fragmentation on > IPv6 (such as pf). These are random IPv6 hints ... :-)
For IPv6, the DNS server must fragment to about 1200 bytes per packet, or cap EDNS0 buffer sizes at about 1150 bytes. I'm not sure how many servers get this right. I'm not even sure if there's a suitable kernel interface to achieve that. The equivalent problem in IPv4 land has been solved, although there are some DNS hosts who still do not get it right. But IPv4 is much, much easier because most systems can just send DF=0 packets. -- Florian Weimer <[email protected]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
