[Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

Simon Kelley simon at thekelleys.org.uk
Fri May 8 16:55:40 BST 2015


On 08/05/15 16:52, Loganaden Velvindron wrote:
> On Fri, May 8, 2015 at 3:40 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> On 07/05/15 16:51, Nicholas Weaver wrote:
>>> One important consideration:  The Internet has decreed a long time
>>> ago that fragments don't work for IPv4, and REALLY don't work for
>>> IPv6: the amount of systems that drop fragments for V6 is off the
>>> chart.
>>>
>>> For DNS, this means you get silent failures when the reply is
>>> bigger than the network's MTU when you use EDNS0/UDP.
>>>
>>>
>>> This is why I have long argued for the following:
>>>
>>> On a timeout, reduce the EDNS0 MTU to produce 1280B packets (which
>>> really do work effectively everywhere).  If the resulting query
>>> now succeeds with a reply and sets TC (truncation), this suggests
>>> a fragmentation problem in the path to that particular server.
>>>
>>> Now all subsequent requests to that server (at least for the next
>>> reasonable-timeout-period like a day) should have the smaller
>>> EDNS0 MTU.
>>>
>>> If the path to multiple servers experience the same failure,
>>> reduce the EDNS0 MTU on a global basis.
>>>
>>
>> Code to do approximately this just hit the git repo.
>>
> 
> Hi Simon,
> 
> Perhaps there could be some work on a regression suite that tests the
> build of dnsmasq and makes DNSSEC queries against sets of domains to
> make sure that it works.
> 
> What do you think ?

What's really needed is a set of domains to query which test all the
many permutations of cyphersuites and DNSSEC options, including NSEC3
variations. There are some out there, but they're very incomplete.


Cheers,

Simon.

> 




More information about the Dnsmasq-discuss mailing list