[Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

Simon Kelley simon at thekelleys.org.uk
Wed May 6 22:38:42 BST 2015


I can demonstrate that there's a problem here, independent of dnsmasq


srk at holly:~$ dig @2001:4860:4860::8888 dnskey org +dnssec

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @2001:4860:4860::8888 dnskey org
+dnssec
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


Doing the same, but sending to 8.8.8.8, works.

With the number of dnskeys in .org generating an answer bigger than the
PMTU, it all fails. The only thing dnsmasq can do is set the EDNS packet
max value to that which must be supported by all implementations, which
is 576 for IPv4 and 1280 for IPv6. Or the lower of those two when the
query may be forwarded over both IPv4 and IPv6.

Maybe 1280 is OK, since IPv4 fragmentation (normally) works, whilst IPv6
sender-based fragmentation seems to be terminally broken, at least for UDP.

Either way, having four DNSKEYS in .org looks like a bad decision.

Simon.







More information about the Dnsmasq-discuss mailing list