It seems like this draft says that the indicated MRDS overrides the EDNS BUFSIZE value. This seems likely to create problems if the MRDS value could be set by a lower layer in the stack or a downstream processing component (without knowledge of DNS), resulting in responses that are too large for the DNS client's allocated buffer. In other words, just because I am capable of receiving very large UDP packets does not mean that I am capable of processing very large DNS responses.
In general, support for very large DNS responses in UDP is considered harmful because of the potential for reflection-amplification attacks. For this reason, as well as concerns about legacy compatibility and general complexity, I think we would be better off not attempting to use UDP Options with DNS. --Ben Schwartz ________________________________ From: DNSOP <dnsop-boun...@ietf.org> on behalf of C. M. Heard <he...@pobox.com> Sent: Sunday, April 28, 2024 5:02 PM To: DNSOP <dnsop@ietf.org> Subject: [DNSOP] Fwd: New Version Notification for draft-heard-dnsop-udp-opt-large-dns-responses-00.txt Greetings, TSVWG currently has the document "Transport Options for UDP" (https: //datatracker. ietf. org/doc/html/draft-ietf-tsvwg-udp-options) in Working Group Last Call. It includes a capability to fragment datagrams at the UDP layer ZjQcmQRYFpfptBannerStart This Message Is From an Untrusted Sender You have not previously corresponded with this sender. ZjQcmQRYFpfptBannerEnd Greetings, TSVWG currently has the document "Transport Options for UDP" (https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options<https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options>) in Working Group Last Call. It includes a capability to fragment datagrams at the UDP layer rather than the IP layer, and one of the use cases that has been discussed over there is using that capability to transmit large DNS responses without suffering the disadvantages of IP fragmentation or fallback to TCP. But we need a reality check from the subject matter experts over here to help us determine whether this idea is viable. Accordingly, I put together a short (and at this point not very polished) individual draft describing how this might work. Your feedback will be greatly appreciated. Thanks and regards, Mike Heard ---------- Forwarded message --------- From: <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> Date: Sun, Apr 28, 2024 at 12:52 PM Subject: New Version Notification for draft-heard-dnsop-udp-opt-large-dns-responses-00.txt To: C. M. Heard (Mike) <he...@pobox.com<mailto:he...@pobox.com>> A new version of Internet-Draft draft-heard-dnsop-udp-opt-large-dns-responses-00.txt has been successfully submitted by C. M. (Mike) Heard and posted to the IETF repository. Name: draft-heard-dnsop-udp-opt-large-dns-responses Revision: 00 Title: Use of UDP Options for Transmission of Large DNS Responses Date: 2024-04-28 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-heard-dnsop-udp-opt-large-dns-responses-00.txt<https://www.ietf.org/archive/id/draft-heard-dnsop-udp-opt-large-dns-responses-00.txt> Status: https://datatracker.ietf.org/doc/draft-heard-dnsop-udp-opt-large-dns-responses/<https://datatracker.ietf.org/doc/draft-heard-dnsop-udp-opt-large-dns-responses/> HTMLized: https://datatracker.ietf.org/doc/html/draft-heard-dnsop-udp-opt-large-dns-responses<https://datatracker.ietf.org/doc/html/draft-heard-dnsop-udp-opt-large-dns-responses> Abstract: This document describes an experimental method for using UDP Options to facilitate the transmission of large DNS responses without the use of IP fragmentation or fallback to TCP. The IETF Secretariat
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
