On 5 Oct 2018, at 3:12 pm, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 5/Oct/18 03:07, John Levine wrote:
Yeah, V6 UDP fragmentation and anycast are bad news. You can sort of fix it by doing all your v6 DNSSEC DNS queries over TCP but it's a lot easier to stick to v4.
Geoff Huston has written about this a lot and it's a well known problem in the DNS community. I'm surprised if it's news to anyone here.
https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns/
In BIND, I think this can be solved by using the "minimal-responses" knob.
Mark.
If you don’t want fragmented IPv6 UDP responses use server ::/0 { edns-udp-size 1232; }; That’s 1280 - IPv6 header - UDP header. Anything bigger than that can theoretically be fragmented. You will then have to deal with PMTUD failures as the servers switch over to TCP. What I find ridiculous is firewall vendor that claim to support adding stateful rules on demand but don’t add “from <src> to <dst> frag offset != 0” when they add “from <src> to <dst> proto xxx src-port <dst-port> dst-port <src-port>” or don’t do packet reassembly to work around the lack of passing fragments. This is IP and fragments are part and parcel of IP whether it is IPv4 or IPv6. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org