[Dnsmasq-discuss] [PATCH] DNS flag day 2020: Minimum safe size is 1232

Thu Jan 13 00:34:26 UTC 2022

I'm happy this is sensible.

Patch applied.

Simon.

On 12/01/2022 03:42, Brian Hartvigsen wrote:
> To be clear the 1232 number was not a “finger in the wind” number, as
> noted on the flag day page:
> 
> An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all
> current networks. This is based on an MTU of 1280, which is required by
> the IPv6 specification, minus 48 bytes for the IPv6 and UDP headers and
> the aforementioned research.
> 
> (I was personally involved in the discussions re: flag day in my
> position at my former employer.)
> 
> -- Brian
> 
>> On Jan 11, 2022, at 11:13, Dominik Derigs <dl6er at dl6er.de> wrote:
>>
>> Hey Petr,
>>
>> at least one popular upstream DNS provider (Quad9 at 9.9.9.9 and
>> their other addresses) switched from 1280 to 1232. This means the
>> "should always work" size of dnsmasq is slightly too large for
>> them and might fails for those queries where the payload lies in
>> between these two values. Hence, I still find it meaningful to
>> reduce the number.
>> Otherwise, I perfectly agree with you on that 1232 is some
>> guesswork and that there will be no ultimate answer.
>>
>> Best,
>> Dominik
>>
>> On Tue, 2022-01-11 at 11:52 +0100, Petr Menšík wrote:
>>> I doubt that small difference matters. 1280 or 1232 is almost
>>> the same.
>>> It is about the smallest packet supported by IPv6. I think size
>>> 1232 was
>>> invented by more or less sophisticated guessing. I am not sure
>>> this is
>>> required to be exactly this value. I would leave it at the
>>> current value
>>> unless we know a case where it is insufficient.
>>>
>>> Cheers,
>>> Petr
>>>
>>> On 1/9/22 11:06, Dominik Derigs wrote:
>>>> Hey Simon,
>>>>
>>>> Minimum safe size is recommended to be 1232. See
>>>> https://dnsflagday.net/2020/, relevant parts below:
>>>>
>>>>> This year, we are focusing on problems with IP
>>>>> fragmentation of
>>>> DNS packets.
>>>>> IP fragmentation is unreliable on the Internet today, and
>>>>> can
>>>> cause transmission failures when large DNS messages are sent
>>>> via
>>>> UDP. Even when fragmentation does work, it may not be secure;
>>>> it
>>>> is theoretically possible to spoof parts of a fragmented DNS
>>>> message, without easy detection at the receiving end.
>>>>> - Bonica R. et al, “IP Fragmentation Considered Fragile”,
>>>>> Work
>>>> in Progress, July 2018
>>>>> - Huston G., “IPv6, Large UDP Packets and the DNS”, August
>>>>> 2017
>>>>> - Fujiwara K., “Measures against cache poisoning attacks
>>>>> using
>>>> IP fragmentation in DNS”, May 2019
>>>>> - Fujiwara K. et al, “Avoid IP fragmentation in DNS”,
>>>>> September
>>>> 2019
>>>>> Recently, there was an paper and presentation Defragmenting
>>>>> DNS
>>>> - Determining the optimal maximum UDP response size for DNS
>>>> by
>>>> Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet
>>>> Labs that explored the real world data using the RIPE Atlas
>>>> probes and the researchers suggested different values for
>>>> IPv4
>>>> and IPv6 and in different scenarios. This is practical for
>>>> the
>>>> server operators that know their environment, and **the
>>>> defaults
>>>> in the DNS software should reflect the minimum safe size
>>>> which is
>>>> 1232.**
>>>>
>>>> This PR reduces the minimum safe size to said 1232 bytes.
>>>> Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ`
>>>> (currently `4096`) to ensure fragmentation will never happen,
>>>> but
>>>> I don't think we really want to do this given the steady
>>>> growth
>>>> in DNSSEC-enabled zones (see trend graphs on
>>>> https://stats.dnssec-tools.org).
>>>>
>>>> Best,
>>>> Dominik
>>>
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 