Fujiwara-san,
IHMO, as long as we use UDP, fragmentation is inevitable in heterogeneous IP
network (“the internet”). We could avoid IP fragmentation as possible with some
techniques, but should prepared for case which fragmentation is really needed.
> o Full-service resolvers MAY drop fragmented UDP
> responses derived from DNS before IP assembly.
> (It is a countermeasure against DNS cache poisoning attacks
> using IP fragmentation.)
Just dropping fragmented responses breaks DNS resolution when fragmentation was
really needed to deliver responses. Full-service resolvers need to take further
action, i.e. retrying in TCP mode.
However implementing “retry in TCP mode when fragmentation received” have some
difficulties, because there is no socket API (in general) to know if a UDP
packet is derived from IP reassembly. I just wrote simple nfqueue filter to
replace fragmented DNS responses with tc=1 responses [1] but I don’t think all
operator can deploy such filter.
[1] https://github.com/hdais/dnsfrag2tc
> o And more, authoritative servers MAY send DNS responses with
> IP_DONTFRAG / IPV6_DONTFRAG options.
Authoritative server also need to be prepared for case that DNS response could
not be delivered due to IP_DONTFRAG but fragmentation was really needed.
In this case authoritative servers should know it by some error code
(EMSGSIZE?) from recvfrom() syscalls, and servers can resend tc=1 to enforce
resolvers to retry in TCP mode.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
