On Sep 11, 2020, at 1:24 PM, Brian Dickson <brian.peter.dick...@gmail.com> wrote: > > In short: I would be perfectly okay if the recommendation were ONLY for the > authority (and server side of resolvers) to lower their default configured > UDP bufsizes, at which point having a range of recommended values (rather > than a single value) would be more appropriate. > Server-side defaults can have their values changed (overridden) by config > changes, but that ONLY has effect if the clients are NOT ALSO implementing > the SAME values. > > That's the problem: EDNS0 UDP Bufsize negotiation allows different values to > be configured/offered, and uses the MINIMUM value. If both ends have their > defaults lowered, and that causes a problem, it CANNOT be fixed unilaterally.
FWIW I agree with this argument - the fact that there are two configured bufsize values is very important, perhaps more so in the OpenDNS case than elsewhere due to our DNSCrypt traffic. However, I would argue that the reduced number (whether it’s 1232, 1400 or 1452) should be chosen by the requestor. My argument goes something like this. When a DNS request is sent, the client (whether a stub or a resolver) is the most qualified to know specifics about the “connection” and is also the target of fragmentation attacks. If the client has a "secure path” to the server (DNSCrypt, DNSCurve, DTLS, a VPN, localhost), a value of 4096 is a great choice. If a client is a stub inside a complicated enterprise network where VLANs and tunnels and [other stuff] are in effect, 1232 might be appropriate. If a client has an unfettered Internet connection, a value of of 1452 might be better. Playing into this, a client might also decide to drop fragments (because they’re just too dangerous) and might want to use 1232 “just in case”. All of these decisions are client decisions. Should the server ever decide? I don’t know of any use case where it should, other than to limit abuse (amplification attacks). IMHO a default request bufsize of 1500 or less (1400 seems popular) would serve the DNS community best, leaving the default response bufsize at 4096 (is that the usual value?). — Brian _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations