Moin!
On 22 Jan 2019, at 9:50, Davey Song wrote:
It is not rare. It is just under the water. You cannot run a ship
unaware of it, especially towards IPv6-only future. Here are some
pointer and number are given:
[1] presents a 28.26% ~ 55.23% packets drop rate for IPv6 fragements.
[2] reports 10% of the paths between the vantage points and the
experimental setup filter IP fragments. [3] reports 37.45% of
endpoints used IPv6-capable DNS resolvers that were incapable of
receiving a fragmented IPv6 response. [4] Yeti testbed also observed
over 7% failure rate for queries against IPv6-only server during KSK
rollover using 100 probes. [5] is a IETF workgroup document of this
problem. It is **not** a rare operational problem.
You see on that listing that the more you go to an actual real world
scenario the lower the impact gets. As soon as you add an IPv4 server
the problem is gone. Now IMHO we should work on getting these rates
where fragments are dropped down and not implement yet another
workaround.
Ralf Weber: Having one v6 name server that will respond correct with
fragments also solves the problem. I think the problem space is to
narrow to burden this problem on all resolvers.
Now 389 of v6 tld server including .org reply with large packets,
please check [Appendix]. I'm not sure how they can respond correct
currently when they need to add more content in answer section. I'm
told that a few large DNS operator using certain DNSSEC tool
generating a large DNSKEY RRset and RRSIG RRset.
Replying with large packets itself is not the problem. The problem is
something in between mostly probably to either edge is dropping re
assembling of fragmented packets. For some of the resolvers I run and my
client network I just did a spot check and all v6 fragments get re
assembled and I could used UDP with a large bufsize to get the DNSKEY
for org. I event tried some of the more crazy ones with ~3k key set
size. Again no problem. So it is possible to run IPv6 DNS server with
large packet sizes over UDP.
So long
-Ralf
—--
Ralf Weber
Sample digs
; <<>> DiG 9.12.3-P1 <<>> DNSKEY +dnssec +bufsize=4096 org. +notcp
@2001:500:48::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36371
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN DNSKEY
;; ANSWER SECTION:
org. 900 IN DNSKEY 256 3 7
AwEAAcyu1vNojLO1vy6FYAqt3Jne4EGKO5io4MKuTuVYC6POTafpympF
aRtFfaG3WNmU89psInAyLLy9cpZrf6Zv7H1jxkFHib899GEEIbd8XgW8
oyHNgH5FrtB2LEGCaVXrPW8p2dASIgQ4EpDTZ8AxX0KWQYCyUtYYoMXD MOTKKKwZ
org. 900 IN DNSKEY 256 3 7
AwEAAc5srBkat5T3kAMjJUFqZsmkySlr1UF1sdxTTQ2F6R5zhmbJqYg7
Y+SekXVi3Y7KgYD8sa14PGHMS0kHGcPTLlYwA7AzMY9U4BuabDYb90ys
d+8n1PpDtf+BcYe4DuL1pCcOZPSeqko3yWUeu2fNzccBUtE0YazAypCf Sbztq+zT
org. 900 IN DNSKEY 257 3 7
AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b
dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5
T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU
ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI
R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp
dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=
org. 900 IN DNSKEY 257 3 7
AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw
9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p
dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr
sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431
msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G
ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0=
org. 900 IN RRSIG DNSKEY 7 1 900 20190207152537 20190117142537 45404
org. mme7P7ZpocftnBBra2q00nXAwKMQLg0UwY0eD9a9GMMbP0gw5K3D9/S4
xluORkBZqSDBmd6FjuRKERT/TmLdET3A3R1hOTEtWLkuTlM92d3Ts4ds
a31XVsyDGw1qiH1YMTaK2AbA0pOWHUj0GTzCnCdY3viDhquEsB2msDSA Ss8=
org. 900 IN RRSIG DNSKEY 7 1 900 20190207152537 20190117142537 9795
org. NOfHL8wXeetoNN91jjOiET8lu4X/mxrRR4MeDA03oaQIRgNXGgB9Riz/
gcHm8hGivuxpaSGxbx4FTm5LO7hYFUuViC6oo06mdjhikmFeUfCqpdhs
6TZfntaX0GpYGN4JpJBDIeMFlF0LFdDYqtt6r26Cc6zhebFVMUChgG2o
6Ofvs/UeUppExO1UEeNULRAFqU7AEvxfsHyEhBbo5fKqBDBwz10UZ5bJ
KSfXOgxI8wQyIR255AbQEwHxWGjTWnKico/Mrs0KnCp6EOCt5UahNKh9
MxIWiAjjP6IljqHUOHN+XGWsf3Lq1AcGGAH+4GNK+3P6+wJwtVsHt69l rEOeNA==
org. 900 IN RRSIG DNSKEY 7 1 900 20190207152537 20190117142537 17883
org. lYnkcCCWL7cJmtpifhwF7uhL3Aocj/L8Xp8jpqRcv4OBw1V5JcL0v9Lv
wnWTc53fJzl+/yBTueC2/LMcQ4IbAXlK6+Aq9cePWopeawiTUjYK8LCE
VK9xsfeYOUomKhTx27/ddIWhazmbfirWwGoC/uC44oirUrX59XCcyjB5
lcqsilwmSLBjmgVaXY2Y7oWRC/UcDLXwd/uS5Nrnpux45ogtyz+vcBZy
1UlmiwkDcrXyBxtrskmQwa7hj8nN+oq05qS8tffA+TZR4uss/biii6nS
GcdILJkg/enXpEQpUKysyC89MekpisUtdwD3jVAhcdp4DHnR0/PxmxoZ CuDRKw==
;; Query time: 19 msec
;; SERVER: 2001:500:48::1#53(2001:500:48::1)
;; WHEN: Tue Jan 22 11:17:33 CET 2019
;; MSG SIZE rcvd: 1625
; <<>> DiG 9.12.3-P1 <<>> bg. DNSKEY +dnssec +notcp
@2a02:6a80::192:92:129:99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33260
;; flags: qr aa rd; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bg. IN DNSKEY
;; ANSWER SECTION:
bg. 3600 IN DNSKEY 256 3 8
AwEAAbXpGD+h+TW6apP80SyHGOBV31FC/Lp42tdfC/iHJwOa+ZP7tmPz
e2kyG1GMIum6jLPlbc0b1GCKE8sToxVKnRbCAQhWMPCCKrkdLTBy2bRa
kH83v1ppYYceJ3krKgo0fTQyf2kQM5nl/K50wVD11oRzVnnCEBDLKFkk khxucPPj
bg. 3600 IN DNSKEY 256 3 8
AwEAAc6p7Y3Ifw/8yPRGKYczPSyE4cqY+UNdHmt4Cn8YwOiCCGg/0Y9v
KsyTJAMes8O2tB+7vSpV/5taL5EuifQr10lS5B8S5BlDUthUTq+9CECl
LwFsBYOoZo49VsoiREbIgaesq21yG02JTt4s/QpClOlHWxu3Y3RhNPWP qH2lB8Wv
bg. 3600 IN DNSKEY 257 3 8
AwEAAbxtdZBrxUDnwczEYSDmiI7lMDDxsNB+OWGxldJYiVB5D/zQRqPb
Og2qKGTYMqJ6jI1Dx2q1EWGSG3axrY/Sne9ja24p1FoKh6BTGz/QvbTn
Q+DGnhamgBb26QN5zs89siGS9uft/8E/+2uK/5NcMBJFCtY1YbdoWBPg
2TM2OLVDuY4kjIJHj/EUi9NsAYHaYQO1SKHcRVT4hsJ+sDypA3KnLRIp
yHooo6rygpb1RmegRAM5cF1l4RwUwK1MTP4VemK5btsUZrRa2pOuhO24
xHKvly7j08vx7MuW0kBEQwJDHZzwa+Z8+GN6DwxWdeAzdP3WdbCBMf6k
Jsur+9+U+9PcbmTELOsRszDzEQhsTClnTRpoafdNDrTCBjEwhdcEKwM1
fRXR1ig8GdCSCPevz0i9WYklN/bLte7uifPI+5yV7O+1B7Af7EUnDj7F
ammyzA6joD6iy0FbKIkILae6FeqglS0SqYl6AX0tomUXQS8zwMFqd3b6
OOLpbD1rfvGhBNNO/sRs0l+mgCx9xAvdHgRaUq/eijGiT0kJ4oaX6jgP
ChoVrLMMhk2kyQ21pdYI9JXjjldjVqXxQWp2BpNyntWCKo8p6Qhb4kPq
hndO3nBVj2bAtPFEx5vCXMYowUiPJ4G/0OUl7S3DTGBOXEoCRK8g8nSE
a0pTIz17DUn376Kj
bg. 3600 IN DNSKEY 257 3 5
AwEAAblV90SQjp4rI9ZLQs3pwcvkmlEt0OogfuI5cm4l+b3fHGA3YtVU
Tz8j6SzpMQR/psx5KzFzqIJc8YRdLJSFhiBaLxDYPltcjFSie71Ln2U0
+PPn5NHqUzCYTysLtRG0sl8FHmFGEY4OmkevpDZCX9sscDdt0MfiVwoN
23Ni3nHuSrGewgr0RI4nBrcrBWII7oAfhyZ9XKWmlZpRM8aNHA6hijix
ZsSzTNYAfr9r+s/lpiDG2ybiju1H6sKhL/jY02UdMTFiLFdRZ6yuOzxw
FXWQE/d7cSe5dSCYMU5EmD2Qy0nbGG0YSD9e0iehw01Fr70HfIV9uNXM
zqHrrTyajMtlft/z9aUug5qIVxFSczNSRCyJedcJU+9OZUMj90yXQLeG
2soa6QOfAUyYZLs9OgOIKoE0c7hQRIicPM5bK0ycUM3NTcIYUzDV8zZZ
Fo0xaM1QEIMdXz4kCfFS6V4lUleufTCDTI0CkTq9g14ia464HFXb4WKD
6eHl0hvnXAviPAqrma0K1iX9efjxiDumyAIJlm/plBL39CMuX/ENyER8
XXqv9aXAAcdlN2EYsbejGJ262SjvGIMzEVoUKd9UqrnSe44w/2+lzL6a
WYqFz6njejH6rbzcof2MoEt1QC47G80gZzFk/tn1mMIKKMbQyvMy7+6K
HaTKSHnJCXr27klR
bg. 3600 IN DNSKEY 256 3 5
AwEAAatvnBmra+7zeBm9l13suknlkqymM+dxrFdopER/atXEXpeKon1l
B9rWXtPTizfXo3UIXugeIF7sL0oLNeaNHmBe4pgvEIZCpokDOQ45Eqk+
VgAdskXSlF0X8QhxE1c24wX4lhyIm3hvd5KgOGtKT8OcX3kzol+iBjC4 JGFXWDqD
bg. 3600 IN DNSKEY 256 3 5
AwEAAepb8tfII3+xijlGEESRLxW9hDpBHjtqaO0dKLowX6Iz17s1Yrby
d0EZc8NjuF251KDvixkm54F7mKI8rA5PBo9JCsvXQh9rbekEV3EDhOU8
Eg/hIrVVCtHR5qWLVe1JEfBvicyUUQSZapQWVPP7MYXb2aZzB+jRIVsr ngGHmzD9
bg. 3600 IN RRSIG DNSKEY 5 1 3600 20190221090009 20190122090009 40422
bg. hwC0VCeV6KQGyefOO1RBeurhXZX182lhA+bVfK62RCMiIXkABSJbMM5v
qfX3RpaCb/WYW9d4g6eVVaH+oZ2swDpXSY1DVc7fH7vQ7zNsW8yDh2Bt
dN+5F6H+pFFYhxwsa1NjnlwhKVfK/ips0ogoh5OA0zjzbjztQYzagS4R 3ik=
bg. 3600 IN RRSIG DNSKEY 5 1 3600 20190221090009 20190122090009 46846
bg. UfaFw11jtqaajb9VkVpS1VyAXxKCGec74D2qI0ulCa8EdeT5I0+A7JoI
FhbigNmUGNER9iC91Var+CygqmYRfjIsi82jRTVYzuVVd1hWPM4VJiQX
BWjZ5tneeNo9qOQlow1MSqgB7USYMta3XVe6Qyxp6XEna1cGxZjB8h/V
NQWsiTnnLYdVfCTJEd8nStLqeo4fibsHB9NgOkK+bpD8LApLVUFun1sE
+ykdTJrf/FZjPtEJn4qVo1EVrJa2NjKnFOMza4bYENYYI4w0LK3zCgQY
TqbXYKJqbL0EIr8r7OkDG8wzI3Mx2iZ3sl1JaYRDpM/LYHqGbKaDnOkv
scxh1i7GBu2oCUlL0l++klMQJxUG4jMeaQF5w9MYOJB2xDfPxw3Kq5sF
YQKyMGIE5IaeT1hjTwqQk/DTXoqxC/ZLSLFVw+Bd9CzkcPEfERupzCn9
mtAZOaAZwj0E7rM1NdcKHXplkvYTijpGmHKpPMdjUBU+d0DCzHvvyKRZ
Zo+r59+rfQPcki2RRtphPKIxIgShlZeWJA6cfp2bf75rpybRWQKlT72h
gWDd57s+ba4+Nj9/9vnDkhDuf6tucpaNlkaLAAudQGsf+zsWWufneWGR
Y6vlEYSH8a3mUZ0ygk6Xp1Jh3JBclL4lyb0E284afAfF+mIQrXggoBIV 1/Kk0gkH88E=
bg. 3600 IN RRSIG DNSKEY 8 1 3600 20190221090009 20190122090009 15660
bg. W8+IsXooVBp4ZL91L70Uz+nhWGl1UfK6cNj7BXWak7Esc+60Vx7xRqg9
C06O+CKu7CDBdYD39tn/hScsmA850y76aI0CukEAjRqSEO7ptUl3D7Xf
UvDoygRycFQNqZYrJuC8JwaUP/FX6DPpezSEIyjojHpRw3ld6TeKEZea Ftk=
bg. 3600 IN RRSIG DNSKEY 8 1 3600 20190221090009 20190122090009 58606
bg. KnSPMb/6HNJsJXpfb0gftGV5e4FFSSGHaf2Zeb4b0g7+bFgmDqYNv0Em
9oI1T38aem49Cg8VU97KdZdcf4hbB3ugprMjaa00A2k128uvMSRud/zI
MPPL/8FUfMuC8BkaMoJTt2aSaq+D2uuWlhJOOCD2+uDh3czFBq4zCBGV
R1uAtvVt5iP4xRXNAsyctJmGrK0Xks4LL0CdytUdoKWTtj6y+8j6KNvy
Yn27+9Q08/lmQmWFgHtfKWCAFdFclXzNn0BjTNekP3WinIF0iHlWUeQl
OTg0gErsguzzEU48JaWazhz7nrKN8U+OsPwH+KTuqx9VmElazssDfIp/
h3QoOHMfKX4/t8Na3UAWmNPbq6V4eQkBbGuYgX5bVaiAV3DvRQfvRGAU
URBF2xWwrqG8Vfd9oghXyRt7qyRLQXlM4irdNb3kbv1mLuRQZxNd2bJs
AZV6aNEizUwXftf8aWxYj62tnMMsgPu426kXpXA2YHaIn1NyE9kFOZCr
VNfUv5MzIGDB4cXkyJld86pqo7HgpovWBGrXqptwbvU5vTqdsb14R4nG
M6gOf648w4qKOBqeoLsCCTL+EoBa+n0d23cNtSfMk5WuzNdPDslNkPhz
W9TAGOpvGZ+Vm4CyA2o++/G6VDT3/jBPlXlKu3OnI8mwQ5UFFXRmoQdW 9t5Msp47WYY=
;; Query time: 54 msec
;; SERVER: 2a02:6a80::192:92:129:99#53(2a02:6a80::192:92:129:99)
;; WHEN: Tue Jan 22 11:20:04 CET 2019
;; MSG SIZE rcvd: 3103
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop