[Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7
Nicholas Weaver
nweaver at gmail.com
Thu May 7 16:51:43 BST 2015
One important consideration: The Internet has decreed a long time ago that fragments don't work for IPv4, and REALLY don't work for IPv6: the amount of systems that drop fragments for V6 is off the chart.
For DNS, this means you get silent failures when the reply is bigger than the network's MTU when you use EDNS0/UDP.
This is why I have long argued for the following:
On a timeout, reduce the EDNS0 MTU to produce 1280B packets (which really do work effectively everywhere). If the resulting query now succeeds with a reply and sets TC (truncation), this suggests a fragmentation problem in the path to that particular server.
Now all subsequent requests to that server (at least for the next reasonable-timeout-period like a day) should have the smaller EDNS0 MTU.
If the path to multiple servers experience the same failure, reduce the EDNS0 MTU on a global basis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150507/6d25c8f7/attachment.sig>
More information about the Dnsmasq-discuss
mailing list