Re: [DNSOP] avoiding fragmented DNS-over-UDP

Mukund Sivaraman <muks@isc.org> Wed, 21 March 2018 16:26 UTC

Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 651DA12EAA8 for <dnsop@ietfa.amsl.com>; Wed, 21 Mar 2018 09:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMIBxidsZasz for <dnsop@ietfa.amsl.com>; Wed, 21 Mar 2018 09:26:28 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id 87FC112E8A4 for <dnsop@ietf.org>; Wed, 21 Mar 2018 09:26:27 -0700 (PDT)
Received: from jurassic (unknown [14.194.233.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 165E332C0752; Wed, 21 Mar 2018 16:26:24 +0000 (UTC)
Date: Wed, 21 Mar 2018 21:56:20 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
Message-ID: <20180321162619.GA15674@jurassic>
References: <alpine.DEB.2.11.1803211607160.16357@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.11.1803211607160.16357@grey.csi.cam.ac.uk>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IlxCfzVVnWGSv3e_sA_8wI2B4ms>
Subject: Re: [DNSOP] avoiding fragmented DNS-over-UDP
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 16:26:34 -0000

On Wed, Mar 21, 2018 at 04:10:15PM +0000, Tony Finch wrote:
> In the intarea meeting, there was some discussion of
> "IP fragmentation considered fragile"
> https://tools.ietf.org/html/draft-bonica-intarea-frag-fragile
> 
> That draft correctly calls out the DNS as particularly problematic wrt
> fragmentation, so I think it might be worth writing a dnsop draft that
> explains how to reduce the amount that the DNS causes fragmented packets
> and relies on them working.

Some topics in the same area:

(1) An alternative is to split responses at the application level into
into multiple UDP datagrams:
https://tools.ietf.org/html/draft-muks-dnsop-dns-message-fragments-00

(2) There is a tiny risk of spoofed fragments. Cookies should mitigate
some of this risk as the OPT RR would usually go in the last IP fragment
(this should be OK for up to 2 fragments). A mechanism to mitigate IP
fragment spoofing would be a stronger (than UDP) checksum:
https://tools.ietf.org/html/draft-muks-dnsop-dns-message-checksums-01

		Mukund