[v6ops] Re: Carrying large DNS packets over UDP in IPv6 networks

Paul Vixie <paul@redbarn.org> Sun, 23 June 2024 20:32 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 31FE3C14F602 for <v6ops@ietfa.amsl.com>; Sun, 23 Jun 2024 13:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.462
X-Spam-Status: No, score=-7.462 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.355, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bvaaGpmIml2o for <v6ops@ietfa.amsl.com>; Sun, 23 Jun 2024 13:32:49 -0700 (PDT)
Received: from util.redbarn.org (util.redbarn.org []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00110C14F5F8 for <v6ops@ietf.org>; Sun, 23 Jun 2024 13:32:48 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id 7C63219CCAE; Sun, 23 Jun 2024 20:32:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1719174768; bh=VQFvSONTTE7FM6BVvkdsS5ynE2EIyKwFtERC2TgZpNU=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=eke5P57vdxEjARY8JaV4MMzRnaHImtJBqCDZdNZvrO7m/mzekmM183g04yJdZRCdY hYvv2Dx+IQm2CsrZManSm10S6tBG12s4nxJgzG0zA89/1XkBDOmvyzoYinQCa2Tea0 zzLq0x6lg3IX6SybJRacVLLxVnk+mr2N+dxQ+n8A=
Received: from [] (dhcp-159.access.rits.tisf.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 55519C3F21; Sun, 23 Jun 2024 20:32:48 +0000 (UTC)
To: "C. M. Heard" <heard@pobox.com>
References: <CACL_3VFuWhqLQ2xnKh33tsnx6fpk39zqs0Kb49AP6yrpU1wuzg@mail.gmail.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <f838c517-95e4-a4f5-1401-cc1880f3a0ed@redbarn.org>
Date: Sun, 23 Jun 2024 13:32:47 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.60
MIME-Version: 1.0
In-Reply-To: <CACL_3VFuWhqLQ2xnKh33tsnx6fpk39zqs0Kb49AP6yrpU1wuzg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-MailFrom: paul@redbarn.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "v6ops@ietf.org" <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: Carrying large DNS packets over UDP in IPv6 networks
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/n1PpzSe607TdYTVuv7bgMV0A6OI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

C. M. Heard wrote on 2024-06-23 13:06:
> ...
>>> If I remember the discussion correctly, quite a few open source DNS servers
>>> do not set the DF flag for IPv4 and have no plans to do so.
> It would be more correct to say "do not plan to do so for the time being." The
> issue seems to be that many or most versions of Linux systems do not provide a
> means to set the DF bit without turning on IPv4 PMTU discovery, which is seen
> as problematic owing to the ease with which ICMP messages can be forged. See
> https://mailarchive.ietf.org/arch/msg/dnsop/Z0LeUQRBKqRwgTA12tq5Z7g8pWA/

i think the Linux syscall API has been and could still be revised from 
time to time, but that even if it could not be revised, that would not 
be an excuse to freeze the protocol at the API's current capability level.

> It is granted that the DF issue that Linux has does not affect IPv6.
> But security issues with forged ICMP PTB messages certainly do.

if we're going to change the ICMP specification to address security 
risks, i'll join that discussion. until we do that, i don't expect any 
existing DF=1 sender (such as some TCP stacks) to stop trusting PTB. in 
other words this is a distraction.

P Vixie