<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">To be clear the 1232 number was not a “finger in the wind” number, as noted on the flag day page:<div><br></div><div><p style="box-sizing: border-box; margin: 10px 0px 15px; padding: 0px; border: 0px; font-family: "Myriad Pro", Calibri, Helvetica, Arial, sans-serif; font-stretch: inherit; line-height: inherit; vertical-align: baseline; caret-color: rgb(55, 55, 55); color: rgb(55, 55, 55); -webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%;">An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all current networks. This is based on an MTU of 1280, which is required by the IPv6 specification, minus 48 bytes for the IPv6 and UDP headers and the aforementioned research.</p><font color="#000000"><span style="caret-color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;">(I was personally involved in the discussions re: flag day in my position at my former employer.)</span></font></div><div><font color="#000000"><span style="caret-color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><br></span></font><div dir="ltr">-- Brian</div><div dir="ltr"><br><blockquote type="cite">On Jan 11, 2022, at 11:13, Dominik Derigs <dl6er@dl6er.de> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Hey Petr,</span><br><span></span><br><span>at least one popular upstream DNS provider (Quad9 at 9.9.9.9 and</span><br><span>their other addresses) switched from 1280 to 1232. This means the</span><br><span>"should always work" size of dnsmasq is slightly too large for</span><br><span>them and might fails for those queries where the payload lies in</span><br><span>between these two values. Hence, I still find it meaningful to</span><br><span>reduce the number.</span><br><span>Otherwise, I perfectly agree with you on that 1232 is some</span><br><span>guesswork and that there will be no ultimate answer.</span><br><span></span><br><span>Best,</span><br><span>Dominik</span><br><span></span><br><span>On Tue, 2022-01-11 at 11:52 +0100, Petr Menšík wrote:</span><br><blockquote type="cite"><span>I doubt that small difference matters. 1280 or 1232 is almost</span><br></blockquote><blockquote type="cite"><span>the same.</span><br></blockquote><blockquote type="cite"><span>It is about the smallest packet supported by IPv6. I think size</span><br></blockquote><blockquote type="cite"><span>1232 was</span><br></blockquote><blockquote type="cite"><span>invented by more or less sophisticated guessing. I am not sure</span><br></blockquote><blockquote type="cite"><span>this is</span><br></blockquote><blockquote type="cite"><span>required to be exactly this value. I would leave it at the</span><br></blockquote><blockquote type="cite"><span>current value</span><br></blockquote><blockquote type="cite"><span>unless we know a case where it is insufficient.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Cheers,</span><br></blockquote><blockquote type="cite"><span>Petr</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On 1/9/22 11:06, Dominik Derigs wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Hey Simon,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Minimum safe size is recommended to be 1232. See</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>https://dnsflagday.net/2020/, relevant parts below:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>This year, we are focusing on problems with IP</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>fragmentation of</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>DNS packets.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>IP fragmentation is unreliable on the Internet today, and</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>can</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>cause transmission failures when large DNS messages are sent</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>via</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>UDP. Even when fragmentation does work, it may not be secure;</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>it</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>is theoretically possible to spoof parts of a fragmented DNS</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>message, without easy detection at the receiving end.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- Bonica R. et al, “IP Fragmentation Considered Fragile”,</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Work</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>in Progress, July 2018</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- Huston G., “IPv6, Large UDP Packets and the DNS”, August</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>2017</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- Fujiwara K., “Measures against cache poisoning attacks</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>using</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>IP fragmentation in DNS”, May 2019</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- Fujiwara K. et al, “Avoid IP fragmentation in DNS”,</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>September</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>2019</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Recently, there was an paper and presentation Defragmenting</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>DNS</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>- Determining the optimal maximum UDP response size for DNS</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>by</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Labs that explored the real world data using the RIPE Atlas</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>probes and the researchers suggested different values for</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>IPv4</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>and IPv6 and in different scenarios. This is practical for</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>the</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>server operators that know their environment, and **the</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>defaults</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>in the DNS software should reflect the minimum safe size</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>which is</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>1232.**</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>This PR reduces the minimum safe size to said 1232 bytes.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ`</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>(currently `4096`) to ensure fragmentation will never happen,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>but</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I don't think we really want to do this given the steady</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>growth</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>in DNSSEC-enabled zones (see trend graphs on</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>https://stats.dnssec-tools.org).</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Best,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Dominik</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><span></span><br><span></span><br><span></span><br><span>_______________________________________________</span><br><span>Dnsmasq-discuss mailing list</span><br><span>Dnsmasq-discuss@lists.thekelleys.org.uk</span><br><span>https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</span><br></div></blockquote></div></body></html>