To be clear the 1232 number was not a “finger in the wind” number, as noted on the flag day page:
An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all current networks. This is based on an MTU of 1280, which is required by the IPv6 specification, minus 48 bytes for the IPv6 and UDP headers and the aforementioned research. (I was personally involved in the discussions re: flag day in my position at my former employer.) -- Brian > On Jan 11, 2022, at 11:13, Dominik Derigs <dl...@dl6er.de> wrote: > > Hey Petr, > > at least one popular upstream DNS provider (Quad9 at 9.9.9.9 and > their other addresses) switched from 1280 to 1232. This means the > "should always work" size of dnsmasq is slightly too large for > them and might fails for those queries where the payload lies in > between these two values. Hence, I still find it meaningful to > reduce the number. > Otherwise, I perfectly agree with you on that 1232 is some > guesswork and that there will be no ultimate answer. > > Best, > Dominik > >> On Tue, 2022-01-11 at 11:52 +0100, Petr Menšík wrote: >> I doubt that small difference matters. 1280 or 1232 is almost >> the same. >> It is about the smallest packet supported by IPv6. I think size >> 1232 was >> invented by more or less sophisticated guessing. I am not sure >> this is >> required to be exactly this value. I would leave it at the >> current value >> unless we know a case where it is insufficient. >> >> Cheers, >> Petr >> >>> On 1/9/22 11:06, Dominik Derigs wrote: >>> Hey Simon, >>> >>> Minimum safe size is recommended to be 1232. See >>> https://dnsflagday.net/2020/, relevant parts below: >>> >>>> This year, we are focusing on problems with IP >>>> fragmentation of >>> DNS packets. >>>> IP fragmentation is unreliable on the Internet today, and >>>> can >>> cause transmission failures when large DNS messages are sent >>> via >>> UDP. Even when fragmentation does work, it may not be secure; >>> it >>> is theoretically possible to spoof parts of a fragmented DNS >>> message, without easy detection at the receiving end. >>>> - Bonica R. et al, “IP Fragmentation Considered Fragile”, >>>> Work >>> in Progress, July 2018 >>>> - Huston G., “IPv6, Large UDP Packets and the DNS”, August >>>> 2017 >>>> - Fujiwara K., “Measures against cache poisoning attacks >>>> using >>> IP fragmentation in DNS”, May 2019 >>>> - Fujiwara K. et al, “Avoid IP fragmentation in DNS”, >>>> September >>> 2019 >>>> Recently, there was an paper and presentation Defragmenting >>>> DNS >>> - Determining the optimal maximum UDP response size for DNS >>> by >>> Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet >>> Labs that explored the real world data using the RIPE Atlas >>> probes and the researchers suggested different values for >>> IPv4 >>> and IPv6 and in different scenarios. This is practical for >>> the >>> server operators that know their environment, and **the >>> defaults >>> in the DNS software should reflect the minimum safe size >>> which is >>> 1232.** >>> >>> This PR reduces the minimum safe size to said 1232 bytes. >>> Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ` >>> (currently `4096`) to ensure fragmentation will never happen, >>> but >>> I don't think we really want to do this given the steady >>> growth >>> in DNSSEC-enabled zones (see trend graphs on >>> https://stats.dnssec-tools.org). >>> >>> Best, >>> Dominik >> > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
