[Yeti DNS Discuss] Dealing with IPv6 Fragmentation in the DNS
Geoff Huston
gih at apnic.net
Thu Aug 24 08:54:48 UTC 2017
> On 24 Aug 2017, at 12:05 am, P Vix <paul at redbarn.org> wrote:
>
> Fragmentation in v6 was meant to be an improvement on v4, by making it end to end only ... Routers don't fragment. Turns out icmp6 is a huge security hole and is most often blocked.
>
> I had thought that DNS servers were now using mtu 1280 to work around it.
>
There is a significant level of diversity about how DNS servers manage IPv6.
The problem is that if you use a low MTU then you need to fragment your response if the response is larger than your MTU. The problem is that fragmenting the response means that there is a far change (more than 1 in 3) that you may be using a recursive resolver that cannot receive a fragmented DNS response over IPv6. Google’s public DNS service, for example. So a low MTU for UDP increases the probability of encountering IPv6 fragmentation extension drop. bad.
Increasing the MTU size increases the possibility of encountering a Path MTU problem and at this stage you have the tough problem of figuring out how to manage an ICMPv6 PTB message and a sessionless application that emits UDP. bad.
No clean answers here, but for UDP I would suggest that higher is marginally less worse than lower.
More information about the discuss
mailing list