[Yeti DNS Discuss] Dealing with IPv6 Fragmentation in the DNS

Andreas Schulze andreas.schulze at datev.de
Wed Aug 23 16:56:17 UTC 2017

Am 23.08.2017 um 16:05 schrieb P Vix:
> Fragmentation in v6 was meant to be an improvement on v4, by making it 
> end to end only ... Routers don't fragment. Turns out icmp6 is a huge 
> security hole and is most often blocked.
> I had thought that DNS servers were now using mtu 1280 to work around it.
I set 1220 on all of my NSD instances months ago. At least, it don't hurt.

( see https://nlnetlabs.nl/projects/nsd/nsd.conf.5.html )
  outgoing-tcp-mss: 1220
  tcp-mss: 1220


More information about the discuss mailing list