v6 DNSSEC fail, was Buying IPv4 blocks

Mark Andrews marka at isc.org
Fri Oct 5 05:53:24 UTC 2018


> On 5 Oct 2018, at 3:12 pm, Mark Tinka <mark.tinka at seacom.mu> wrote:
> 
> 
> 
> On 5/Oct/18 03:07, John Levine wrote:
> 
>> Yeah, V6 UDP fragmentation and anycast are bad news.  You can sort of
>> fix it by doing all your v6 DNSSEC DNS queries over TCP but it's a lot
>> easier to stick to v4.
>> 
>> Geoff Huston has written about this a lot and it's a well known problem
>> in the DNS community.  I'm surprised if it's news to anyone here.
>> 
>> 
>> https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns/
> 
> In BIND, I think this can be solved by using the "minimal-responses" knob.
> 
> Mark.

If you don’t want fragmented IPv6 UDP responses use

	server ::/0 { edns-udp-size 1232; };

That’s 1280 - IPv6 header - UDP header.  Anything bigger than that can theoretically
be fragmented.  You will then have to deal with PMTUD failures as the servers switch
over to TCP.

What I find ridiculous is firewall vendor that claim to support adding stateful rules
on demand but don’t add “from <src> to <dst> frag offset != 0” when they add “from <src> to <dst> proto xxx src-port <dst-port> dst-port <src-port>” or don’t do packet reassembly to
work around the lack of passing fragments.  This is IP and fragments are part
and parcel of IP whether it is IPv4 or IPv6.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the NANOG mailing list