Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-00.txt Wed, 08 July 2020 08:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75ADA3A0C2F for <>; Wed, 8 Jul 2020 01:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rxJE6NsLJL-y for <>; Wed, 8 Jul 2020 01:01:26 -0700 (PDT)
Received: from ( [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 902E43A0C28 for <>; Wed, 8 Jul 2020 01:01:25 -0700 (PDT)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id 06881OL0022570 for <>; Wed, 8 Jul 2020 17:01:24 +0900
Received: from (localhost []) by postfix.imss91 (Postfix) with ESMTP id 0ED3C6024070 for <>; Wed, 8 Jul 2020 17:01:24 +0900 (JST)
Received: from localhost ( []) by (Postfix) with ESMTP id 03D3A6024061 for <>; Wed, 8 Jul 2020 17:01:24 +0900 (JST)
Date: Wed, 08 Jul 2020 17:01:23 +0900 (JST)
Message-Id: <>
In-Reply-To: <>
References: <>
X-Mailer: Mew version 6.8 on Emacs 24.5
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-TM-AS-Product-Ver: IMSS-
X-TM-AS-Result: No--28.380-5.0-31-10
X-imss-scan-details: No--28.380-5.0-31-10
X-TMASE-Version: IMSS-
X-TMASE-Result: 10--28.380400-10.000000
X-TMASE-MatchedRID: I087BnUjGmFCXIGdsOwlUu5i6weAmSDKJqv0GX3SOh3tkF1BQZiRHVz+ OVMA6rt+X3N2wuk+nwqQiLJmDGsjCg7Qbfq/wswqnVTWWiNp+v8O9z+P2gwiBT07m5a3Vf0j+99 ny1sxIVztFovLlHA2T6ldHs0DobMi4bVbyN6yIMlY2G7H7/NxxPngX/aL8PCNd3XtjqAaoML0pa v77IFAozKqjQMJSwhdJAuQGb9odMATpX/Z22DgpofjhHUc+9i8y0Q+dW8+UWQfVuGrjP7J9LzaX ivzszfvOOksNVagLUHvKZzofGiLPE5iWL96Ug/NaDCzqDR7DPaL4szjQe8SOubwKsUcyAY2mLlf jFh7sDr3OF0UjQGrupnd5GvZSlDO0igOBJ9dDbBO8qlnOXFSz88WrkDqCn1roA1qZKkyr6FOVR7 i88n9KsIDsntzwCZMYKPpoMOmeu6sjWybeQhEwElR2DE0NRdaVCGp3g4/hjtxOV2f0RqkNUwicw 3eWSo0FBc1en9XwCjQlN7xn+yB0B5Z0c0F3GZNTl/FCEyiTx72hUAowGKip6tkcxxU6EVI9xu1Z b5VzUt4Q5z7q6iGT8uT6pyURQPh5UcZtwNsCro5f9Xw/xqKXcidYBYDjITpBjEBOiFWiCaWM1/N ByeF17L1D3ZkqVjazhcsGxgF64Iqtq5d3cxkNQP90fJP9eHt
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jul 2020 08:01:28 -0000


Paul Vixie and I submitted draft-ietf-dnsop-avoid-fragmentation-00.
Please review it.


I may have some mistakes, I could not find links to show differences
from draft-fujiwara-dnsop-avoid-fragmentation-03.
Please see differences from this URL.

Differences from -03 to 00 are
  Added "DNSSEC is a countermeasure .." in Intro.
  Removed 7.2 DNS packet size.
  Moved details of Minimal-responses to appendix B
  Added reference to draft-ietf-tsvwg-datagram-plpmtud

And more, we would like to make some changes in -01.

  * Adding new text in abstract.

    "EDNS0 enables a DNS server to send large responses using UDP
     and is widely deployed."

  * Change text related to TCP in Introduction because TCP changes MSS
    value to avoid IP fragmentation under ICMP NEEDFRAG attacks.

      By comparison, TCP is considered resistant against IP
      fragmentation attacks because TCP has a 32-bit sequence number
      and 32-bit acknowledgment number in each segment.

      By comparison, TCP protocol stack controls packet size and
      avoid IP fragmentation under ICMP NEEDFRAG attacks.

  In TCP, fragmentation should be avoided for performance reasons, whereas for
  UDP, fragmentation should be avoided for resiliency and authenticity reasons.

  * I would like to use "in-domain" (defined in RFC 8499)

    OLD: and in-zone and below-zone glue in the additional data section.
    NEW: and in-domain (in-zone and below-zone) glue in the additional data section.


Kazunori Fujiwara, JPRS <>

> From:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
>         Title           : Fragmentation Avoidance in DNS
>         Authors         : Kazunori Fujiwara
>                           Paul Vixie
> 	Filename        : draft-ietf-dnsop-avoid-fragmentation-00.txt
> 	Pages           : 10
> 	Date            : 2020-06-30
> Abstract:
>    Path MTU discovery remains widely undeployed due to security issues,
>    and IP fragmentation has exposed weaknesses in application protocols.
>    Currently, DNS is known to be the largest user of IP fragmentation.
>    It is possible to avoid IP fragmentation in DNS by limiting response
>    size where possible, and signaling the need to upgrade from UDP to
>    TCP transport where necessary.  This document proposes to avoid IP
>    fragmentation in DNS.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> DNSOP mailing list