nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: v6 DNSSEC fail, was Buying IPv4 blocks

From: Mark Andrews <marka () isc org>
Date: Fri, 5 Oct 2018 15:53:24 +1000



On 5 Oct 2018, at 3:12 pm, Mark Tinka <mark.tinka () seacom mu> wrote:



On 5/Oct/18 03:07, John Levine wrote:


Yeah, V6 UDP fragmentation and anycast are bad news.  You can sort of
fix it by doing all your v6 DNSSEC DNS queries over TCP but it's a lot
easier to stick to v4.

Geoff Huston has written about this a lot and it's a well known problem
in the DNS community.  I'm surprised if it's news to anyone here.


https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns/


In BIND, I think this can be solved by using the "minimal-responses" knob.

Mark.


If you don’t want fragmented IPv6 UDP responses use

        server ::/0 { edns-udp-size 1232; };

That’s 1280 - IPv6 header - UDP header.  Anything bigger than that can theoretically
be fragmented.  You will then have to deal with PMTUD failures as the servers switch
over to TCP.

What I find ridiculous is firewall vendor that claim to support adding stateful rules
on demand but don’t add “from <src> to <dst> frag offset != 0” when they add “from <src> to <dst> proto xxx src-port 
<dst-port> dst-port <src-port>” or don’t do packet reassembly to
work around the lack of passing fragments.  This is IP and fragments are part
and parcel of IP whether it is IPv4 or IPv6.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: