> On 5 Oct 2018, at 3:12 pm, Mark Tinka <mark.ti...@seacom.mu> wrote:
>
>
>
> On 5/Oct/18 03:07, John Levine wrote:
>
>> Yeah, V6 UDP fragmentation and anycast are bad news. You can sort of
>> fix it by doing all your v6 DNSSEC DNS queries over TCP but it's a lot
>> easier to stick to v4.
>>
>> Geoff Huston has written about this a lot and it's a well known problem
>> in the DNS community. I'm surprised if it's news to anyone here.
>>
>>
>> https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns/
>
> In BIND, I think this can be solved by using the "minimal-responses" knob.
>
> Mark.
If you don’t want fragmented IPv6 UDP responses use
server ::/0 { edns-udp-size 1232; };
That’s 1280 - IPv6 header - UDP header. Anything bigger than that can
theoretically
be fragmented. You will then have to deal with PMTUD failures as the servers
switch
over to TCP.
What I find ridiculous is firewall vendor that claim to support adding stateful
rules
on demand but don’t add “from <src> to <dst> frag offset != 0” when they add
“from <src> to <dst> proto xxx src-port <dst-port> dst-port <src-port>” or
don’t do packet reassembly to
work around the lack of passing fragments. This is IP and fragments are part
and parcel of IP whether it is IPv4 or IPv6.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org