IETF Logo Mail Archive

[DNSOP] Re: draft-ietf-dnsop-avoid-fragmentation-17.txt - implementer notes

Benno Overeinder <benno@NLnetLabs.nl> Thu, 06 June 2024 11:19 UTC

Return-Path: <benno@NLnetLabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2979BC1D61F7; Thu, 6 Jun 2024 04:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7OWIfUFdqT5; Thu, 6 Jun 2024 04:19:16 -0700 (PDT)
Received: from mout-b-112.mailbox.org (mout-b-112.mailbox.org [IPv6:2001:67c:2050:102:465::112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE417C1DFD42; Thu, 6 Jun 2024 04:19:12 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-112.mailbox.org (Postfix) with ESMTPS id 4Vw20C3HkBzDs8S; Thu, 6 Jun 2024 13:19:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1717672747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=U/z2PMlh1JIbZsyliijO+BCTJP6yGfnJptju7i/s7rk=; b=ADgVVD7cutKpPl5hgnUUJIg55In2U5F/X7rGtainIbG03PkwdOyt2MnFP6OXeOpQz+/rmm V2f6nqKEYX2XekNDwf8Ss128Z6HrUIwOA/0xhTk5XnqSSNsAO2ZqzCEw4e6g1pJRAI4EsO D2ZbaCVTAI1oSyNugXBXpeUmQ+mEEcZSPqePkLQBEa90Q9Z/fTu9tepCwJXk/fOX2QUr+G 5DuJQCuIOjISYShh8RHkJWg+5G6z3gmoNameffBGoHNIlmXqS5mm6bDIU3iYu/enEgFUy3 1e9Rb/RVQNN56nB+JUCXqle3njIgnEo0OohIo0OODXR09eVIGmIbSkO3JSMZEw==
Message-ID: <a826b28b-93e2-409f-a127-9c349f441e00@NLnetLabs.nl>
Date: Thu, 06 Jun 2024 13:19:04 +0200
MIME-Version: 1.0
To: DNSOP Working Group <dnsop@ietf.org>
References: <170926168476.21652.3145041523766661930@ietfa.amsl.com> <c998f646-bc1c-4671-9ad9-d0b1d3558d86@isc.org>
Content-Language: en-GB
From: Benno Overeinder <benno@NLnetLabs.nl>
In-Reply-To: <c998f646-bc1c-4671-9ad9-d0b1d3558d86@isc.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: RKBUTMPLXX5NPQGZGOKMOIDMOGUUNS2R
X-Message-ID-Hash: RKBUTMPLXX5NPQGZGOKMOIDMOGUUNS2R
X-MailFrom: benno@NLnetLabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-dnsop-avoid-fragmentation.authors@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: draft-ietf-dnsop-avoid-fragmentation-17.txt - implementer notes
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Z0LeUQRBKqRwgTA12tq5Z7g8pWA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi all,

Speaking as one of the DNS implementers and as part of providing 
feedback on the current draft revision, we have reformulated 
recommendation R2.  It expresses the intention not to fragment UDP 
packets and points out that different operating systems have different 
ways of achieving this.

The current concern of open-source software DNS developers is with Linux 
that the IP_MTU_DISCOVER is not well documented, it has changed over 
time, one has to look into the kernel code to see what is really going 
on, and it is fragile.

New text for R2:

-----

R2.  UDP responders should configure their systems to prevent 
fragmentation of UDP packets when sending replies, provided it can be 
done safely. The mechanisms to achieve this vary across different 
operating systems.

For BSD-like operating systems, the IP "Don't Fragment flag (DF) bit" 
[RFC0791] can be used to prevent fragmentation. In contrast, Linux 
systems do not expose a direct API for this purpose and require the use 
of Path MTU socket options (IP_MTU_DISCOVER) to manage fragmentation 
settings. However, it is important to note that enabling IPv4 Path MTU 
Discovery for UDP in current Linux versions is considered harmful and 
dangerous. For more details, refer to Appendix C.

-----


On 06/05/2024 15:59, Petr Špaček wrote:
> Hello dnsop,
> 
> Warren asked implementers to provide feedback on the current text, so 
> I'm doing just that.
> 
> I'm not an apt copywriter but hopefully following notes will provide 
> material for other people to formulate commentary to supplement the 
> recommendations.
> 
> 

<snip/><snap/>

Cheers,

-- Benno

v2.29.0 | Report a Bug | By Email | System Status