[Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7
Simon Kelley
simon at thekelleys.org.uk
Fri May 8 16:40:52 BST 2015
On 07/05/15 16:51, Nicholas Weaver wrote:
> One important consideration: The Internet has decreed a long time
> ago that fragments don't work for IPv4, and REALLY don't work for
> IPv6: the amount of systems that drop fragments for V6 is off the
> chart.
>
> For DNS, this means you get silent failures when the reply is
> bigger than the network's MTU when you use EDNS0/UDP.
>
>
> This is why I have long argued for the following:
>
> On a timeout, reduce the EDNS0 MTU to produce 1280B packets (which
> really do work effectively everywhere). If the resulting query
> now succeeds with a reply and sets TC (truncation), this suggests
> a fragmentation problem in the path to that particular server.
>
> Now all subsequent requests to that server (at least for the next
> reasonable-timeout-period like a day) should have the smaller
> EDNS0 MTU.
>
> If the path to multiple servers experience the same failure,
> reduce the EDNS0 MTU on a global basis.
>
Code to do approximately this just hit the git repo.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list