[Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7
Loganaden Velvindron
loganaden at gmail.com
Fri May 8 16:52:54 BST 2015
On Fri, May 8, 2015 at 3:40 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 07/05/15 16:51, Nicholas Weaver wrote:
>> One important consideration: The Internet has decreed a long time
>> ago that fragments don't work for IPv4, and REALLY don't work for
>> IPv6: the amount of systems that drop fragments for V6 is off the
>> chart.
>>
>> For DNS, this means you get silent failures when the reply is
>> bigger than the network's MTU when you use EDNS0/UDP.
>>
>>
>> This is why I have long argued for the following:
>>
>> On a timeout, reduce the EDNS0 MTU to produce 1280B packets (which
>> really do work effectively everywhere). If the resulting query
>> now succeeds with a reply and sets TC (truncation), this suggests
>> a fragmentation problem in the path to that particular server.
>>
>> Now all subsequent requests to that server (at least for the next
>> reasonable-timeout-period like a day) should have the smaller
>> EDNS0 MTU.
>>
>> If the path to multiple servers experience the same failure,
>> reduce the EDNS0 MTU on a global basis.
>>
>
> Code to do approximately this just hit the git repo.
>
Hi Simon,
Perhaps there could be some work on a regression suite that tests the
build of dnsmasq and makes DNSSEC queries against sets of domains to
make sure that it works.
What do you think ?
More information about the Dnsmasq-discuss
mailing list