Hey Petr, at least one popular upstream DNS provider (Quad9 at 9.9.9.9 and their other addresses) switched from 1280 to 1232. This means the "should always work" size of dnsmasq is slightly too large for them and might fails for those queries where the payload lies in between these two values. Hence, I still find it meaningful to reduce the number. Otherwise, I perfectly agree with you on that 1232 is some guesswork and that there will be no ultimate answer.
Best, Dominik On Tue, 2022-01-11 at 11:52 +0100, Petr Menšík wrote: > I doubt that small difference matters. 1280 or 1232 is almost > the same. > It is about the smallest packet supported by IPv6. I think size > 1232 was > invented by more or less sophisticated guessing. I am not sure > this is > required to be exactly this value. I would leave it at the > current value > unless we know a case where it is insufficient. > > Cheers, > Petr > > On 1/9/22 11:06, Dominik Derigs wrote: > > Hey Simon, > > > > Minimum safe size is recommended to be 1232. See > > https://dnsflagday.net/2020/, relevant parts below: > > > > > This year, we are focusing on problems with IP > > > fragmentation of > > DNS packets. > > > IP fragmentation is unreliable on the Internet today, and > > > can > > cause transmission failures when large DNS messages are sent > > via > > UDP. Even when fragmentation does work, it may not be secure; > > it > > is theoretically possible to spoof parts of a fragmented DNS > > message, without easy detection at the receiving end. > > > - Bonica R. et al, “IP Fragmentation Considered Fragile”, > > > Work > > in Progress, July 2018 > > > - Huston G., “IPv6, Large UDP Packets and the DNS”, August > > > 2017 > > > - Fujiwara K., “Measures against cache poisoning attacks > > > using > > IP fragmentation in DNS”, May 2019 > > > - Fujiwara K. et al, “Avoid IP fragmentation in DNS”, > > > September > > 2019 > > > Recently, there was an paper and presentation Defragmenting > > > DNS > > - Determining the optimal maximum UDP response size for DNS > > by > > Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet > > Labs that explored the real world data using the RIPE Atlas > > probes and the researchers suggested different values for > > IPv4 > > and IPv6 and in different scenarios. This is practical for > > the > > server operators that know their environment, and **the > > defaults > > in the DNS software should reflect the minimum safe size > > which is > > 1232.** > > > > This PR reduces the minimum safe size to said 1232 bytes. > > Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ` > > (currently `4096`) to ensure fragmentation will never happen, > > but > > I don't think we really want to do this given the steady > > growth > > in DNSSEC-enabled zones (see trend graphs on > > https://stats.dnssec-tools.org). > > > > Best, > > Dominik > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
