Re: [DNSOP] DNS without Fragmentation (UDP and DF bit set) Wed, 21 November 2018 09:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D00A1298C5 for <>; Wed, 21 Nov 2018 01:57:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MnXV7t3C_A4b for <>; Wed, 21 Nov 2018 01:57:22 -0800 (PST)
Received: from ( [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CC567128CFD for <>; Wed, 21 Nov 2018 01:57:21 -0800 (PST)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id wAL9vJCX008221; Wed, 21 Nov 2018 18:57:19 +0900
Received: from (localhost []) by postfix.imss71 (Postfix) with ESMTP id 9F70B1800B6; Wed, 21 Nov 2018 18:57:18 +0900 (JST)
Received: from localhost ( []) by (Postfix) with ESMTP id 86AA91800B2; Wed, 21 Nov 2018 18:57:18 +0900 (JST)
Date: Wed, 21 Nov 2018 18:57:18 +0900
Message-Id: <>
In-Reply-To: <>
References: <> <>
X-Mailer: Mew version 6.6 on Emacs 24.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-7"
Content-Transfer-Encoding: base64
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-
X-TM-AS-Result: No--2.345-5.0-31-10
X-imss-scan-details: No--2.345-5.0-31-10
X-TMASE-MatchedRID: TxWMfh/XGrFCXIGdsOwlUu5i6weAmSDKZggZX8gYmrWa7goFvFpM2zTs oyE/WlGc5Ew4q3mY5jR4ez6VMlvnaD4Pcn5OGAtGpL2kLXgwLcIecJFiVRR1gqj5v7I4/SgY0SJ Ai0ZG7epsjQgN0bnku5aZAeM66ZqUorXvpLj1Q0fopfmCeWKnv9Jrn6QZzRPgOdl/GMFVBFuKPt 3jh4hU+NceFfBS9EflSpYEHCin+CTeSif76JU1PVz+axQLnAVB1KoSW5Ji1XuYjVGk//6gyR1EZ gxiVu7kpw00Pm81G4GRk6XtYogiakme0AhhlKpMZz0AAGWYgqKg5oovEWFmKY6HM5rqDwqtKdZs +Sgg0iL4OwBJdWqJg2nbZ7M3Py9bIQIJsWhKCTsSOKDuFUiIDFJPT1/uVC/uZHn9+xOLRo8mo4R S1EIktF1P6FDiuqyJuG3cNKNW4Fea4Ygfy0caoL8aBE1hzn6jnyitm8WLNWuC6W2vEhLBsg==
Archived-At: <>
Subject: Re: [DNSOP] DNS without Fragmentation (UDP and DF bit set)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Nov 2018 09:57:24 -0000

Sorry, too late response. I could not understand second paragraph about TSIG.

> From: Mark Andrews <>
> Firstly you are insane to recommend dropping PTB’s.  That will break lots of things
> including TCP.

Thanks. I agree. 

I mainly concerned on IPv4. Dropping IPv4 ICMP "fragmentation needed
and DF set" and IPv6 PTB may cause TCP problem.

Then my proposal changed as follows:

  Authoritative servers should set static EDNS buffsize 1220.
  (and set DF bit in responses on IPv4).

  Full-service resolvers should set static EDNS buffsize 1220
  and should drop fragmented DNS response packets by packet filters.

    IPv4: drop UDP and source port 53, More fragment bit = 1
    IPv6: drop packets that have NextHeader = Fragment,
    	  fragment offset=0, more fragment = 1, hext header=UDP
	  UDP, source port 53

  TCP will work if the end node is under ICMP PTB/need fragment attack
    and path MTU becomes under 300.

> Secondly we could just use a well known TSIG key and have the authoritative servers add
> it to their configuration today, especially the root and TLDs servers.  The recursive
> servers could also add the key for root and TLD servers they know have installed the
> the well known key.  This is easy to test with tools like dig.

Do you mean TSIG protects from second fragmentation attacks ?


Kazunori Fujiwara, JPRS <>