[Yeti DNS Discuss] Dealing with IPv6 Fragmentation in the DNS

Paul Vixie paul at redbarn.org
Fri Aug 25 05:06:11 UTC 2017

Daniel Stirnimann wrote:
>>> Which is fine except for the unfortunate observation that some 17%
>>> of resolvers appear to have some kind of broken firewall  in front
>>> of them that prevents them from establishing a TCP session.
>> Wild guess: resolvers in such broken environments are probably not
>> validating resolvers and thus will probably never request anything
>> larger than 1200/1400 bytes.
> this is an interesting thread and reminds me that the best for DNSSEC is
> to move to ECDSA. The number of validation revolvers not understanding
> ECDSA is less of a problem then the number of revolvers having problems
> with fragmentation / tcp.

that's not realistic. operators for whom dnssec is not working usually 
won't know it. if they know it, they won't know why. if they know why, 
they won't know that ecdsa is a workaround.

your suggestion is similar to asking everybody to put a rocket motor on 
their pig so that it will fly. they don't understand why pigs don't fly 
or why your fix will matter.

> Thank you Geoff for all your measurements in this area.

+1, even if i think the outcome is other than the above.

P Vixie

More information about the discuss mailing list