[Dnsmasq-discuss] dns flag day 2020

Simon Kelley simon at thekelleys.org.uk
Wed Sep 11 22:47:35 BST 2019


On 02/09/2019 19:52, Dave Taht wrote:
> 
> Does anyone have an opinion on:
> 
> https://github.com/dns-violations/dnsflagday/issues/125
> 
> (posteth not here, but on that thread)
> 

Dnsmasq has code which tries to detect lost oversize UDP packets and
reduces the maximum sent to 1280.  If the powers that be can comes up
with a  definitive solution, I'd like to implement it.

> sort of spawned by that, though, are three questions, which
> perhaps we can answer here...
> 
> 1) How much is the dnssec stuff in dnsmasq enabled?
> 
> For example, although it's available in openwrt, I think it is disabled
> by default. It was enabled by default in cerowrt (my old project), but
> had enough bugs revealed after the final release for most to disable it.
> 
> That said, I do run it where I can, in openwrt, but I figure it's kind
> of lonely.
> 

I don't know. I suspect not often. Why bother? most of the net is not
signed anyway.

We eat our own DNSSEC dogfood here at thekelleys, and don't see any
problems, forwarding to 8.8.8.8 or 1.1.1.1
Most of the bug reports I see these days seem to be due it
different/unexpected behaviour of upstreams which catches out code
tested almost exclusively on those two.

> 2) How often does it succeed over udp?
> 
> 3) How often does it have to fallback to tcp?
> 

I don't know for sure, and don;t have any recent logs. I've not,
historically, seen high TCP fallback rates.


Cheers,

Simon.

> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list