On Wed, Mar 21, 2018 at 04:10:15PM +0000, Tony Finch wrote: > In the intarea meeting, there was some discussion of > "IP fragmentation considered fragile" > https://tools.ietf.org/html/draft-bonica-intarea-frag-fragile > > That draft correctly calls out the DNS as particularly problematic wrt > fragmentation, so I think it might be worth writing a dnsop draft that > explains how to reduce the amount that the DNS causes fragmented packets > and relies on them working.
Some topics in the same area: (1) An alternative is to split responses at the application level into into multiple UDP datagrams: https://tools.ietf.org/html/draft-muks-dnsop-dns-message-fragments-00 (2) There is a tiny risk of spoofed fragments. Cookies should mitigate some of this risk as the OPT RR would usually go in the last IP fragment (this should be OK for up to 2 fragments). A mechanism to mitigate IP fragment spoofing would be a stronger (than UDP) checksum: https://tools.ietf.org/html/draft-muks-dnsop-dns-message-checksums-01 Mukund _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
