In message <59c48658.9000...@redbarn.org>, Paul Vixie writes: > Mark Andrews wrote: > ... > > Just padding UDP responses to EDNS buffer size should be enough to > > force fragmentation. If you advertise a 4096 buffer you should be > > able to accept such a response. > > i don't want to waste the octets. a lot of links are still mobile. > forcing source fragmentation for payloads longer than 512 will do.
Setsockopt IPV6_USE_MIN_MTU=1 for IPv6. > > We also need to bump the EDNS version number. Going to EDNS(1) > > will hit the firewalls that think EDNS(0) is the only EDNS version > > they will ever see. > > that would drag in version negotiation -- a lot of responders would say > BADVERS which would lead, best case, to another round trip. but since > the version negotiation code paths aren't tested, it may be worse. Version negotiation occuring will self correct. A extra round trip isn't too expensive. We get enough FORMERR/BADVERS to EDNS(0) + DNS COOKIE queries to know that it isn't a practical issue. I've tested enough version negotiation paths. See https://ednscomp.isc.org/ The entries with "badversion" show a failed EDNS version negotiation. The entire Alexa top 1M is scanned once a month. EDNS(0) + rcode != BADVERS -> badversion BADVERS + response version >= request version -> badversion > > BIND 9.11 is already adding a DNS COOKIE option to every request. > > That is causing some firewalls to be fixed as well as some nameservers. > > We haven't added additional workaround code for this. > > nice. thanks for that. > > -- > P Vixie > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
