[Dnsmasq-discuss] Cannot set edns-packet-max < 4096 with DNSSEC enabled

Anders Kaseorg andersk at mit.edu
Tue Nov 25 11:01:23 GMT 2014


dnsmasq refuses to honor an --edns-packet-max option less than 
EDNS_PKTSZ == 4096:

#ifdef HAVE_DNSSEC
   /* Enforce min packet big enough for DNSSEC */
   if (option_bool(OPT_DNSSEC_VALID) && daemon->edns_pktsz < EDNS_PKTSZ)
     daemon->edns_pktsz = EDNS_PKTSZ;
#endif

Since 4096 is already the default value if --edns-packet-max is not 
specified, and no standard requires a minimum of 4096, I think this 
check should be deleted so that a user can force dnsmasq to advertise a 
lower UDP payload size if they know that TCP fallback is working better 
than UDP fragments.

(The context is that I’m trying to debug a problem with Comcast’s IPv6 
DNS servers, which seem unable to send me large UDP packets:

$ dig +short +bufsize=4096 +dnssec @2001:558:feed::1 org -t dnskey
;; connection timed out; no servers could be reached
$ dig +short +bufsize=1500 +dnssec @2001:558:feed::1 org -t dnskey
;; Truncated, retrying in TCP mode.
256 3 7 AwEAAXQRcjCcYDIZTLZZq46iF8oUX+c15GVdbszCa2RrrPz7yWEWAhu1 […]
257 3 7 AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b […]
257 3 7 AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDodnZ9IMh0bwMc […]
256 3 7 AwEAAal0CL9S++dL7Yg1BcHGOv0m3faUwZW9FuBW7ZsJTUnvFtUws17E […]
DNSKEY 7 1 900 20141208155603 20141117145603 9795 org. ScWxHC+pzp[…]
DNSKEY 7 1 900 20141208155603 20141117145603 21366 org. AlSsJz93j[…]
DNSKEY 7 1 900 20141208155603 20141117145603 60764 org. RySS8Ft6P[…]

The IPv4 DNS servers work better, but that doesn’t help dnsmasq because 
it only sends DNSSEC queries back to the same server that gave it the 
reply, which in my case is usually an IPv6 server.)

Anders



More information about the Dnsmasq-discuss mailing list