[Dnsmasq-discuss] [PATCH] DNS flag day 2020: Minimum safe size is 1232
Petr Menšík
pemensik at redhat.com
Tue Jan 11 10:52:54 UTC 2022
I doubt that small difference matters. 1280 or 1232 is almost the same.
It is about the smallest packet supported by IPv6. I think size 1232 was
invented by more or less sophisticated guessing. I am not sure this is
required to be exactly this value. I would leave it at the current value
unless we know a case where it is insufficient.
Cheers,
Petr
On 1/9/22 11:06, Dominik Derigs wrote:
> Hey Simon,
>
> Minimum safe size is recommended to be 1232. See
> https://dnsflagday.net/2020/, relevant parts below:
>
>> This year, we are focusing on problems with IP fragmentation of
> DNS packets.
>> IP fragmentation is unreliable on the Internet today, and can
> cause transmission failures when large DNS messages are sent via
> UDP. Even when fragmentation does work, it may not be secure; it
> is theoretically possible to spoof parts of a fragmented DNS
> message, without easy detection at the receiving end.
>> - Bonica R. et al, “IP Fragmentation Considered Fragile”, Work
> in Progress, July 2018
>> - Huston G., “IPv6, Large UDP Packets and the DNS”, August 2017
>> - Fujiwara K., “Measures against cache poisoning attacks using
> IP fragmentation in DNS”, May 2019
>> - Fujiwara K. et al, “Avoid IP fragmentation in DNS”, September
> 2019
>> Recently, there was an paper and presentation Defragmenting DNS
> - Determining the optimal maximum UDP response size for DNS by
> Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet
> Labs that explored the real world data using the RIPE Atlas
> probes and the researchers suggested different values for IPv4
> and IPv6 and in different scenarios. This is practical for the
> server operators that know their environment, and **the defaults
> in the DNS software should reflect the minimum safe size which is
> 1232.**
>
> This PR reduces the minimum safe size to said 1232 bytes.
> Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ`
> (currently `4096`) to ensure fragmentation will never happen, but
> I don't think we really want to do this given the steady growth
> in DNSSEC-enabled zones (see trend graphs on
> https://stats.dnssec-tools.org).
>
> Best,
> Dominik
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the Dnsmasq-discuss
mailing list