[Yeti DNS Discuss] Dealing with IPv6 Fragmentation in the DNS

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Sep 4 13:13:13 UTC 2017


On Mon, Sep 04, 2017 at 09:36:41AM +1000,
 Geoff Huston <gih at apnic.net> wrote 
 a message of 42 lines which said:

> My probing from various vantage points tends towards a different
> conclusion, namely that Google’s public DNS service does not receive
> fragmented IPv6 over UDP DNS responses from authoritative name
> servers.

.lancaster currently has a DNSKEY RRset of 1736 bytes. The
authoritative servers serve it well:

%  for ns in $(dig +short +nodnssec NS lancaster.); do
for> echo $ns
for> dig +dnssec -6 @$ns DNSKEY lancaster.
for> done

(No error, no TC)

Some Atlas probes (not many: unlike Google Public DNS, many are
installed in broken networks) can get it:

% atlas-resolve -r 100 -6 -e d.nic.fr -t DNSKEY --dnssec  --ednssize=2048 -v lancaster
[NETWORK PROBLEM WITH RESOLVER] : 12 occurrences 
[256 3 8 aweaabu0q1prj/sruatbtfrdo6tgkp+5 zxmqnxfvpbu7elxgl361mgt5c76+lexz kvtl0o 256 3 8 aweaabw5chweenxgo+e6jejp7totfpoq iuf2fn4u5oryxr9kqofovggtpgao6zbo mdtx9d 256 3 8 aweaacsvozug/fj9cf7ykyugejtkl8qf rmh+otm1/0zm+ngy4ixeiqq7eiapxrf7 qesduk 257 3 8 aweaabp9tpi5sdrtck+jivorgxifmgqm mbhv+ujhjz4+wtdooxvio/mfneq+wxie ks08el] : 20 occurrences 
[TIMEOUT(S)] : 72 occurrences 
Test #9271551 done at 2017-09-04T13:10:34Z


And Google Public DNS can do it just fine. It validates:

% dig +dnssec @8.8.8.8 NS lancaster

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec @8.8.8.8 NS lancaster
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19420
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;lancaster.		IN NS

;; ANSWER SECTION:
lancaster.		86399 IN NS d.nic.fr.
lancaster.		86399 IN NS f.ext.nic.fr.
lancaster.		86399 IN NS g.ext.nic.fr.
lancaster.		86399 IN RRSIG NS 8 1 172800 (
				20171103114201 20170904114201 2619 lancaster.
				Vst9l2YOLZ+c5d+V3//ADbzqmSxu3TRYFP0OiggABEC8
				I1WIjpDtCU+9+uIcwYd2ENG2AtnOpUKsrWvNwWlBubBn
				3RV6Q1ZjS/llPe1DhCf84B9lGpyPEmXl8R+txhWKBgy2
				baw10Jxbk4CfPLtttc0VQIBtuoovbi++YNrKTrDvAsBe
				gkrDZH6uUh7T+e/J58y9Zdsm6PVcSVeHqAslnUuDq9FV
				HwE/zP4yXyvZ60Q/I2G/Shq8zCoCeGrcTN9iXQocrwnr
				U0/E5+Cupd0vpszzX3nYNmq3DG70xOVCDh31H+fBQ2zQ
				5SExRHrIsas6wl8ix9H1+94F9QW2iaLeDg== )

;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 04 15:09:46 CEST 2017
;; MSG SIZE  rcvd: 393

And it retrieves the proper DNSKEY RRset:


% dig +dnssec @8.8.8.8 DNSKEY lancaster

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec @8.8.8.8 DNSKEY lancaster
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55014
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;lancaster.		IN DNSKEY

;; ANSWER SECTION:
lancaster.		86399 IN DNSKEY	256 3 8 (
				AwEAAcSVOzUG/FJ9cf7ykYUGEJtkL8QFrmH+otM1/0zM
				+NgY4IxeIQQ7EiApxRF7QESDUkufB61kXGOknkxbZ8S2
				C4Wvpg2cAuID8L3ydnMai3LHym+slC914Igj/6nGx2jB
				/wtdMwpau65Z5hpET3DOBooCfosD6bVgvM7dlSICF65o
				zjyFfGy0X/tAW1VSJ+2Suuk6Rscd+t5QXRWgIRtCvFgQ
				AqCbSOMb3I2By6/I6E33LB7nHj43p1SYW0eHvMXpXFpJ
				nQG8CQjvAQc8dluocpx8c4FjP1eWj92077heopx1tR39
				qVJGudaQN7MnxL0rq+FmASdnzO1CuDN6Vnx+tBc=
				) ; ZSK; alg = RSASHA256; key id = 33259
lancaster.		86399 IN DNSKEY	257 3 8 (
				AwEAAbP9TPi5SdrTCK+jivORgxIfmgQMmbhv+UjHJz4+
				wtdOOxviO/mfNEq+wxiekS08eLNM08UW5bKF8CwdBkJo
				Vjjnw43DF7GDnMOlxZuT5svE4esXHbxKh2JbswRWoesJ
				ANe5/W/THbe8khKUsD+CbFkeHD9bP7rJ/DSGgPALxm86
				xw8qr3R2TCRncsme8LUZG9Sdt0eMd7zBlj69zafxcqz3
				fDiyLgNpduM/WHufot/VBzsAKzwQvfYyMuXDuJ+EGk4z
				VzjTqMc7yvWS8QbzSqrbam1UKIYOUIcn8uCK1z4RpvEw
				t2Iv62QI0ne7rPt+lOgHM+cdA6paPtLSP0c4/ts=
				) ; KSK; alg = RSASHA256; key id = 11492
lancaster.		86399 IN DNSKEY	256 3 8 (
				AwEAAbU0q1prJ/SruAtBTfrDo6TGKP+5zXMqnXfVPbu7
				elxgL361mGT5C76+LExzkvtl0ohcuDl3lelaNHeIbcCZ
				wxLkWrp2vALs0Sb5CNbuj6bw8/ZpvGJrJWSodEkayLAt
				sqeA2QWxvTZZ0DyAB8VgndnkfD+VGWw7RjTtIIxV8sUB
				NriCK6Q11v5JBSTwaxDEz/RCCWSS9uFdJYLgk74x9Ur7
				U771KiSozjdtx6S2FIJYrY2ugZlCgy+r1h29rhKUioEL
				oKm+2yqvVKPZByEEd1VBg1inZCnAfHlFoKfd4qL5gJTh
				gq5YrQYkkGj8cPdryrYJq30WK3p34xbW+gdnE7U=
				) ; ZSK; alg = RSASHA256; key id = 26241
lancaster.		86399 IN DNSKEY	256 3 8 (
				AwEAAbw5cHWeEnxGo+E6jEJP7totfpoQIuf2fN4U5OrY
				xr9KqofOvgGTpgAo6zboMdTx9Ddvym1B9QcCFycyiR5y
				nLZZef1MDENysRSiFRs905Oc9HUsIAxGNCu322+Ln26A
				PFUxOQJWxAd1DKr4/OJnKoXvUGMA2vrxaqVP6pM/VKWh
				Xpz7rB+cGcNo7D94+liY2yTx2+22+mMofb8KUTxRw0et
				7Dygu0LsZ9qMNmrrpsb6XTrzT5fPaUymlr8+yrgurLla
				xEe49OrdOyB7XprASz6P8WtnDQSj4M8Lzn+JPMBoK+4v
				6ZqMcax30i5ng4K6QP1BGhEs0VyDL+GEK4FkhK8=
				) ; ZSK; alg = RSASHA256; key id = 2619
lancaster.		86399 IN RRSIG DNSKEY 8 1 172800 (
				20171103114201 20170904114201 2619 lancaster.
				bVueuY6RH4GrmNEl1ymnjMCpbOc3gphsZhE17QWBwRTH
				fUk2twG2VQY5ISl61lKrh9FHw7cw1DHrOTnVbaGM+seU
				QUcdNk4u1VtOIWe1w4+QvfP0mCZy2ZkxUlXU9E4NM7S5
				rtn633MJQqXRxg2bAqzZ8u+i5ywg/mqwsYwwTwJT+peW
				qv/ZdsTpXUymHjrSPQ64VxFtg7UVKkNVUaICkY4bY0B5
				31Xrotzr1VP/p0Ae+nqs47LojeBMs2uztMQydVRsuzP9
				U3C4gx5TzVEZ6kzpm50fYz4P+ZDZYSqV7FX/9RawAjf5
				AJU0rfSdhx2fNNRomlZtdRlbvGsJCqJ5Xw== )
lancaster.		86399 IN RRSIG DNSKEY 8 1 172800 (
				20171103114201 20170904114201 11492 lancaster.
				r0XGqO0QrO1cyhtgCI0WYhlGi2Df5XO+AxPUeyvTadCU
				Z1C2zQxbBg/Flb6764ecyg6qkPp3iWXINyedyy3+E1wt
				IcXokGzIhdRwY8o1rYrF/6Y5mEOrc4tiO44Lo0jzi1CK
				rwUmdfQsCyzORka/A0i4atpQ5GqOtqFYAKF/7+n8A9wV
				WlXmvthbzT8h/cNaGUEKiKiqNj2k9POXx7m0YKAwLIf/
				bDLt36wrcThmKwpCr4bO1ZJ+cjsKTdGrRkjV7tTcVob+
				+X9uWrYihc7iuESGvoUK2/daG9p24xGAo3GbXHnHfppi
				La+V5kTWY/XuPSSerNzjbUVsHASd7tYVxw== )

;; Query time: 31 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 04 15:10:07 CEST 2017
;; MSG SIZE  rcvd: 1736



More information about the discuss mailing list