IETF Logo Mail Archive

Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements

Peter van Dijk <peter.van.dijk@powerdns.com> Mon, 19 April 2021 16:40 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB303A3A0A for <dnsop@ietfa.amsl.com>; Mon, 19 Apr 2021 09:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BkSmgvhVZXhu for <dnsop@ietfa.amsl.com>; Mon, 19 Apr 2021 09:40:17 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF0D53A39F5 for <dnsop@ietf.org>; Mon, 19 Apr 2021 09:40:17 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id BF9BF6A0C6; Mon, 19 Apr 2021 18:40:15 +0200 (CEST)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id FRtcLW+yfWAfIwAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Mon, 19 Apr 2021 18:40:15 +0200
Message-ID: <645e26770b29553fb31d1acf509d01b9807c1e7b.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Mon, 19 Apr 2021 18:40:15 +0200
In-Reply-To: <9FDEDB22-997A-479A-9EC8-818988BC1A79@hopcount.ca>
References: <93D82731-7B33-4E39-8DEF-FF6C14803191@gmail.com> <9FDEDB22-997A-479A-9EC8-818988BC1A79@hopcount.ca>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/d7hvJQVdmJ2pDJGjIbAzteI7LQk>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 16:40:22 -0000

On Mon, 2021-04-19 at 07:31 -0400, Joe Abley wrote:
> NEW:
> 
>    For IPv4-connected hosts, the MTU is often the Ethernet payload
>    size of 1500 bytes.  This means that the largest unfragmented
>    UDP DNS message that can be sent over IPv4 is likely 1472 bytes,
>    although tunnel encapsulation may reduce that maximum message
>    size in some cases.
> 
>    For IPv6, the situation is a little more complicated.  First,
>    IPv6 headers are 40 bytes (versus 20 without options in IPv4).
>    Second, it seems as though some people have mis-interpreted
>    IPv6's required minimum MTU of 1280 as a required maximum.  Third,
>    fragmentation in IPv6 can only be done by the host originating
>    the datagram.  The need to fragment is conveyed in an ICMPv6
>    "packet too big" message.  The originating host indicates a
>    fragmented datagram with IPv6 extension headers.  Unfortunately,
>    it is quite common for both ICMPv6 and IPv6 extension headers
>    to be blocked by middleboxes. According to [HUSTON] some 37% of
>    IPv6-capable recursive resolvers were unable to receive a
>    fragmented IPv6 packet.  Even if the originating host does receive
>    a signal that fragmentation is required, the stateless nature
>    of the DNS protocol is such that the host does not generally
>    retain a copy of the message concerned and hence is unable to  
>    fragment and re-send anyway. 

This note on statelessness is good, but I don't think it should be tied to IPv6. Packets get lost in IPv4 too, especially when they are big, and even if such evens trigger a report in the form of an ICMP message, the same lack-of-state problem applies.

https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ even proposes setting DONTFRAG socket options, and some servers out there already send IPv4 replies with the DF bit set (the two I can verify immediately are OpenDNS, and whatever is running on the router my provider gave me, but most likely there are others too).

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email