It seems like this draft says that the indicated MRDS overrides the EDNS 
BUFSIZE value.  This seems likely to create problems if the MRDS value could be 
set by a lower layer in the stack or a downstream processing component (without 
knowledge of DNS), resulting in responses that are too large for the DNS 
client's allocated buffer.  In other words, just because I am capable of 
receiving very large UDP packets does not mean that I am capable of processing 
very large DNS responses.

In general, support for very large DNS responses in UDP is considered harmful 
because of the potential for reflection-amplification attacks.  For this 
reason, as well as concerns about legacy compatibility and general complexity, 
I think we would be better off not attempting to use UDP Options with DNS.

--Ben Schwartz
________________________________
From: DNSOP <dnsop-boun...@ietf.org> on behalf of C. M. Heard <he...@pobox.com>
Sent: Sunday, April 28, 2024 5:02 PM
To: DNSOP <dnsop@ietf.org>
Subject: [DNSOP] Fwd: New Version Notification for 
draft-heard-dnsop-udp-opt-large-dns-responses-00.txt

Greetings, TSVWG currently has the document "Transport Options for UDP" (https: 
//datatracker. ietf. org/doc/html/draft-ietf-tsvwg-udp-options) in Working 
Group Last Call. It includes a capability to fragment datagrams at the UDP layer
ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.

ZjQcmQRYFpfptBannerEnd
Greetings,

TSVWG currently has the document "Transport Options for UDP" 
(https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options<https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options>)
 in Working Group Last Call. It includes a capability to fragment datagrams at 
the UDP layer rather than the IP layer, and one of the use cases that has been 
discussed over there is using that capability to transmit large DNS responses 
without suffering the disadvantages of IP fragmentation or fallback to TCP. But 
we need a reality check from the subject matter experts over here to help us 
determine whether this idea is viable. Accordingly, I put together a short (and 
at this point not very polished) individual draft describing how this might 
work. Your feedback will be greatly appreciated.

Thanks and regards,

Mike Heard

---------- Forwarded message ---------
From: <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>>
Date: Sun, Apr 28, 2024 at 12:52 PM
Subject: New Version Notification for 
draft-heard-dnsop-udp-opt-large-dns-responses-00.txt
To: C. M. Heard (Mike) <he...@pobox.com<mailto:he...@pobox.com>>


A new version of Internet-Draft
draft-heard-dnsop-udp-opt-large-dns-responses-00.txt has been successfully
submitted by C. M. (Mike) Heard and posted to the
IETF repository.

Name:     draft-heard-dnsop-udp-opt-large-dns-responses
Revision: 00
Title:    Use of UDP Options for Transmission of Large DNS Responses
Date:     2024-04-28
Group:    Individual Submission
Pages:    8
URL:      
https://www.ietf.org/archive/id/draft-heard-dnsop-udp-opt-large-dns-responses-00.txt<https://www.ietf.org/archive/id/draft-heard-dnsop-udp-opt-large-dns-responses-00.txt>
Status:   
https://datatracker.ietf.org/doc/draft-heard-dnsop-udp-opt-large-dns-responses/<https://datatracker.ietf.org/doc/draft-heard-dnsop-udp-opt-large-dns-responses/>
HTMLized: 
https://datatracker.ietf.org/doc/html/draft-heard-dnsop-udp-opt-large-dns-responses<https://datatracker.ietf.org/doc/html/draft-heard-dnsop-udp-opt-large-dns-responses>


Abstract:

   This document describes an experimental method for using UDP Options
   to facilitate the transmission of large DNS responses without the
   use of IP fragmentation or fallback to TCP.



The IETF Secretariat


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to