In message <59c47601.5030...@redbarn.org>, Paul Vixie writes: > Davey Song() wrote: > > Hi Paul, > > > > I know you suggest expose the problem and let the trouble maker > > feeling the pain themselves. But return to the specific issue, from > > APNIC's measurement the ASes in the path are dropping the fragments, > > rather than end ASes. From these ASes' view , it's your pain not > > theirs. > > it's a question of first mover advantage. EDNS will never be fully > deployed, because of the middleboxes built before 1999 who "know" what a > UDP/53 datagram has to look like, and which disallow ADCOUNT>0 && QR=0.
The ones built after 1999 that assume EDNS will always have a version field of zero, or that there won't be any EDNS options, or that there won't be any EDNS flags bits, other than DO, are the biggest problem. > we can, if we wish, continue to standardize one protocol, watch as the > world deploys a different one, and still pretent that our effort was > worthwhile. however, this would fit the technical definition of > "insanity", and i urge that we avoid this course of action. > > > In another word, we are facing the fragmented and uncooperative > > Internet. What should we do ? It is very hard to coordinate all parts > > and networks. DNS is a field with lots of tussle. > > we need a kernel option for various open source operating systems which > causes all UDP to be fragmented at 512 octets of payload. for ipv4, so > that we can hard-smash every middlebox which still prevents EDNS from > being deployed, and for ipv6 also, so that we can hard-smash any middle > or edge network who won't carry ipv6 extension headers. > > and we need to turn this on everywhere. root, gtld, cctld, recursives, > authoriatives, 8.8.8.8, opendns... Everywhere. with a press release to > pre-announce the flag day. > > if we're not going to stand up for the standards we write, then we > should admit that nothing except tcp/80 will work, and avoid all else. Just padding UDP responses to EDNS buffer size should be enough to force fragmentation. If you advertise a 4096 buffer you should be able to accept such a response. We also need to bump the EDNS version number. Going to EDNS(1) will hit the firewalls that think EDNS(0) is the only EDNS version they will ever see. BIND 9.11 is already adding a DNS COOKIE option to every request. That is causing some firewalls to be fixed as well as some nameservers. We haven't added additional workaround code for this. Mark > -- > P Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
