Re: [DNSOP] DNS without Fragmentation (UDP and DF bit set)

fujiwara@jprs.co.jp Wed, 21 November 2018 09:57 UTC

Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D00A1298C5 for <dnsop@ietfa.amsl.com>; Wed, 21 Nov 2018 01:57:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnXV7t3C_A4b for <dnsop@ietfa.amsl.com>; Wed, 21 Nov 2018 01:57:22 -0800 (PST)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC567128CFD for <dnsop@ietf.org>; Wed, 21 Nov 2018 01:57:21 -0800 (PST)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id wAL9vJCX008221; Wed, 21 Nov 2018 18:57:19 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id 9F70B1800B6; Wed, 21 Nov 2018 18:57:18 +0900 (JST)
Received: from localhost (off-cpu05.osa.jprs.co.jp [172.23.4.15]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id 86AA91800B2; Wed, 21 Nov 2018 18:57:18 +0900 (JST)
Date: Wed, 21 Nov 2018 18:57:18 +0900 (JST)
Message-Id: <20181121.185718.220102845612104153.fujiwara@jprs.co.jp>
To: marka@isc.org
Cc: dnsop@ietf.org
From: fujiwara@jprs.co.jp
In-Reply-To: <DEE1DC56-A2FA-46BA-8824-396E62EF1985@isc.org>
References: <20181105.013607.854519297338098286.fujiwara@jprs.co.jp> <DEE1DC56-A2FA-46BA-8824-396E62EF1985@isc.org>
X-Mailer: Mew version 6.6 on Emacs 24.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-8859-7
Content-Transfer-Encoding: base64
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.2.0.1013-24236.006
X-TM-AS-Result: No--2.345-5.0-31-10
X-imss-scan-details: No--2.345-5.0-31-10
X-TMASE-MatchedRID: TxWMfh/XGrFCXIGdsOwlUu5i6weAmSDKZggZX8gYmrWa7goFvFpM2zTs oyE/WlGc5Ew4q3mY5jR4ez6VMlvnaD4Pcn5OGAtGpL2kLXgwLcIecJFiVRR1gqj5v7I4/SgY0SJ Ai0ZG7epsjQgN0bnku5aZAeM66ZqUorXvpLj1Q0fopfmCeWKnv9Jrn6QZzRPgOdl/GMFVBFuKPt 3jh4hU+NceFfBS9EflSpYEHCin+CTeSif76JU1PVz+axQLnAVB1KoSW5Ji1XuYjVGk//6gyR1EZ gxiVu7kpw00Pm81G4GRk6XtYogiakme0AhhlKpMZz0AAGWYgqKg5oovEWFmKY6HM5rqDwqtKdZs +Sgg0iL4OwBJdWqJg2nbZ7M3Py9bIQIJsWhKCTsSOKDuFUiIDFJPT1/uVC/uZHn9+xOLRo8mo4R S1EIktF1P6FDiuqyJuG3cNKNW4Fea4Ygfy0caoL8aBE1hzn6jnyitm8WLNWuC6W2vEhLBsg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VCfkWnA4zKBKNf4pxvE6WBQQvwU>
Subject: Re: [DNSOP] DNS without Fragmentation (UDP and DF bit set)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 09:57:24 -0000

Sorry, too late response. I could not understand second paragraph about TSIG.

> From: Mark Andrews <marka@isc.org>
> Firstly you are insane to recommend dropping PTB’s.  That will break lots of things
> including TCP.

Thanks. I agree. 

I mainly concerned on IPv4. Dropping IPv4 ICMP "fragmentation needed
and DF set" and IPv6 PTB may cause TCP problem.

Then my proposal changed as follows:

  Authoritative servers should set static EDNS buffsize 1220.
  (and set DF bit in responses on IPv4).

  Full-service resolvers should set static EDNS buffsize 1220
  and should drop fragmented DNS response packets by packet filters.

    IPv4: drop UDP and source port 53, More fragment bit = 1
    IPv6: drop packets that have NextHeader = Fragment,
    	  fragment offset=0, more fragment = 1, hext header=UDP
	  UDP, source port 53

  TCP will work if the end node is under ICMP PTB/need fragment attack
    and path MTU becomes under 300.

> Secondly we could just use a well known TSIG key and have the authoritative servers add
> it to their configuration today, especially the root and TLDs servers.  The recursive
> servers could also add the key for root and TLD servers they know have installed the
> the well known key.  This is easy to test with tools like dig.

Do you mean TSIG protects from second fragmentation attacks ?

Regards,

--
Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>