On Sep 11, 2020, at 1:24 PM, Brian Dickson <brian.peter.dick...@gmail.com> 
wrote:
> 
> In short: I would be perfectly okay if the recommendation were ONLY for the 
> authority (and server side of resolvers) to lower their default configured 
> UDP bufsizes, at which point having a range of recommended values (rather 
> than a single value) would be more appropriate.
> Server-side defaults can have their values changed (overridden) by config 
> changes, but that ONLY has effect if the clients are NOT ALSO implementing 
> the SAME values.
> 
> That's the problem: EDNS0 UDP Bufsize negotiation allows different values to 
> be configured/offered, and uses the MINIMUM value. If both ends have their 
> defaults lowered, and that causes a problem, it CANNOT be fixed unilaterally.

FWIW I agree with this argument - the fact that there are two configured        
                                                              
bufsize values is very important, perhaps more so in the OpenDNS case
than elsewhere due to our DNSCrypt traffic.  However, I would argue that
the reduced number (whether it’s 1232, 1400 or 1452) should be chosen
by the requestor.

My argument goes something like this.  When a DNS request is sent,    
the client (whether a stub or a resolver) is the most qualified to     
know specifics about the “connection” and is also the target of                 
                              
fragmentation attacks.  If the client has a "secure path” to the 
server (DNSCrypt, DNSCurve, DTLS, a VPN, localhost), a value of 4096 is
a great choice.  If a client is a stub inside a complicated enterprise  
network where VLANs and tunnels and [other stuff] are in effect, 1232   
might be appropriate.  If a client has an unfettered Internet connection,
a value of of 1452 might be better.  Playing into this, a client might
also decide to drop fragments (because they’re just too dangerous)
and might want to use 1232 “just in case”.

All of these decisions are client decisions.  Should the server ever
decide?  I don’t know of any use case where it should, other than to
limit abuse (amplification attacks).

IMHO a default request bufsize of 1500 or less (1400 seems popular)             
      
would serve the DNS community best, leaving the default response bufsize        
                            
at 4096 (is that the usual value?).

—
Brian
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to