[Yeti DNS Discuss] Dealing with IPv6 Fragmentation in the DNS

Geoff Huston gih at apnic.net
Mon Sep 4 21:30:50 UTC 2017


IPv4 fixes everything

If the name servers for .lancaster had only responded over IPv6 your experience in using Google to resolve this name would be different. It’s not you asking Google that is the problem: its Google asking the name servers that shows the problem.

Geoff

> On 4 Sep 2017, at 11:13 pm, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 
> On Mon, Sep 04, 2017 at 09:36:41AM +1000,
> Geoff Huston <gih at apnic.net> wrote 
> a message of 42 lines which said:
> 
>> My probing from various vantage points tends towards a different
>> conclusion, namely that Google’s public DNS service does not receive
>> fragmented IPv6 over UDP DNS responses from authoritative name
>> servers.
> 
> .lancaster currently has a DNSKEY RRset of 1736 bytes. The
> authoritative servers serve it well:
> 
> %  for ns in $(dig +short +nodnssec NS lancaster.); do
> for> echo $ns
> for> dig +dnssec -6 @$ns DNSKEY lancaster.
> for> done
> 
> (No error, no TC)
> 
> Some Atlas probes (not many: unlike Google Public DNS, many are
> installed in broken networks) can get it:
> 
> % atlas-resolve -r 100 -6 -e d.nic.fr -t DNSKEY --dnssec  --ednssize=2048 -v lancaster
> [NETWORK PROBLEM WITH RESOLVER] : 12 occurrences 
> [256 3 8 aweaabu0q1prj/sruatbtfrdo6tgkp+5 zxmqnxfvpbu7elxgl361mgt5c76+lexz kvtl0o 256 3 8 aweaabw5chweenxgo+e6jejp7totfpoq iuf2fn4u5oryxr9kqofovggtpgao6zbo mdtx9d 256 3 8 aweaacsvozug/fj9cf7ykyugejtkl8qf rmh+otm1/0zm+ngy4ixeiqq7eiapxrf7 qesduk 257 3 8 aweaabp9tpi5sdrtck+jivorgxifmgqm mbhv+ujhjz4+wtdooxvio/mfneq+wxie ks08el] : 20 occurrences 
> [TIMEOUT(S)] : 72 occurrences 
> Test #9271551 done at 2017-09-04T13:10:34Z
> 
> 
> And Google Public DNS can do it just fine. It validates:
> 
> % dig +dnssec @8.8.8.8 NS lancaster
> 
> ; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec @8.8.8.8 NS lancaster
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19420
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;lancaster.		IN NS
> 
> ;; ANSWER SECTION:
> lancaster.		86399 IN NS d.nic.fr.
> lancaster.		86399 IN NS f.ext.nic.fr.
> lancaster.		86399 IN NS g.ext.nic.fr.
> lancaster.		86399 IN RRSIG NS 8 1 172800 (
> 				20171103114201 20170904114201 2619 lancaster.
> 				Vst9l2YOLZ+c5d+V3//ADbzqmSxu3TRYFP0OiggABEC8
> 				I1WIjpDtCU+9+uIcwYd2ENG2AtnOpUKsrWvNwWlBubBn
> 				3RV6Q1ZjS/llPe1DhCf84B9lGpyPEmXl8R+txhWKBgy2
> 				baw10Jxbk4CfPLtttc0VQIBtuoovbi++YNrKTrDvAsBe
> 				gkrDZH6uUh7T+e/J58y9Zdsm6PVcSVeHqAslnUuDq9FV
> 				HwE/zP4yXyvZ60Q/I2G/Shq8zCoCeGrcTN9iXQocrwnr
> 				U0/E5+Cupd0vpszzX3nYNmq3DG70xOVCDh31H+fBQ2zQ
> 				5SExRHrIsas6wl8ix9H1+94F9QW2iaLeDg== )
> 
> ;; Query time: 27 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Sep 04 15:09:46 CEST 2017
> ;; MSG SIZE  rcvd: 393
> 
> And it retrieves the proper DNSKEY RRset:
> 
> 
> % dig +dnssec @8.8.8.8 DNSKEY lancaster
> 
> ; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec @8.8.8.8 DNSKEY lancaster
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55014
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;lancaster.		IN DNSKEY
> 
> ;; ANSWER SECTION:
> lancaster.		86399 IN DNSKEY	256 3 8 (
> 				AwEAAcSVOzUG/FJ9cf7ykYUGEJtkL8QFrmH+otM1/0zM
> 				+NgY4IxeIQQ7EiApxRF7QESDUkufB61kXGOknkxbZ8S2
> 				C4Wvpg2cAuID8L3ydnMai3LHym+slC914Igj/6nGx2jB
> 				/wtdMwpau65Z5hpET3DOBooCfosD6bVgvM7dlSICF65o
> 				zjyFfGy0X/tAW1VSJ+2Suuk6Rscd+t5QXRWgIRtCvFgQ
> 				AqCbSOMb3I2By6/I6E33LB7nHj43p1SYW0eHvMXpXFpJ
> 				nQG8CQjvAQc8dluocpx8c4FjP1eWj92077heopx1tR39
> 				qVJGudaQN7MnxL0rq+FmASdnzO1CuDN6Vnx+tBc=
> 				) ; ZSK; alg = RSASHA256; key id = 33259
> lancaster.		86399 IN DNSKEY	257 3 8 (
> 				AwEAAbP9TPi5SdrTCK+jivORgxIfmgQMmbhv+UjHJz4+
> 				wtdOOxviO/mfNEq+wxiekS08eLNM08UW5bKF8CwdBkJo
> 				Vjjnw43DF7GDnMOlxZuT5svE4esXHbxKh2JbswRWoesJ
> 				ANe5/W/THbe8khKUsD+CbFkeHD9bP7rJ/DSGgPALxm86
> 				xw8qr3R2TCRncsme8LUZG9Sdt0eMd7zBlj69zafxcqz3
> 				fDiyLgNpduM/WHufot/VBzsAKzwQvfYyMuXDuJ+EGk4z
> 				VzjTqMc7yvWS8QbzSqrbam1UKIYOUIcn8uCK1z4RpvEw
> 				t2Iv62QI0ne7rPt+lOgHM+cdA6paPtLSP0c4/ts=
> 				) ; KSK; alg = RSASHA256; key id = 11492
> lancaster.		86399 IN DNSKEY	256 3 8 (
> 				AwEAAbU0q1prJ/SruAtBTfrDo6TGKP+5zXMqnXfVPbu7
> 				elxgL361mGT5C76+LExzkvtl0ohcuDl3lelaNHeIbcCZ
> 				wxLkWrp2vALs0Sb5CNbuj6bw8/ZpvGJrJWSodEkayLAt
> 				sqeA2QWxvTZZ0DyAB8VgndnkfD+VGWw7RjTtIIxV8sUB
> 				NriCK6Q11v5JBSTwaxDEz/RCCWSS9uFdJYLgk74x9Ur7
> 				U771KiSozjdtx6S2FIJYrY2ugZlCgy+r1h29rhKUioEL
> 				oKm+2yqvVKPZByEEd1VBg1inZCnAfHlFoKfd4qL5gJTh
> 				gq5YrQYkkGj8cPdryrYJq30WK3p34xbW+gdnE7U=
> 				) ; ZSK; alg = RSASHA256; key id = 26241
> lancaster.		86399 IN DNSKEY	256 3 8 (
> 				AwEAAbw5cHWeEnxGo+E6jEJP7totfpoQIuf2fN4U5OrY
> 				xr9KqofOvgGTpgAo6zboMdTx9Ddvym1B9QcCFycyiR5y
> 				nLZZef1MDENysRSiFRs905Oc9HUsIAxGNCu322+Ln26A
> 				PFUxOQJWxAd1DKr4/OJnKoXvUGMA2vrxaqVP6pM/VKWh
> 				Xpz7rB+cGcNo7D94+liY2yTx2+22+mMofb8KUTxRw0et
> 				7Dygu0LsZ9qMNmrrpsb6XTrzT5fPaUymlr8+yrgurLla
> 				xEe49OrdOyB7XprASz6P8WtnDQSj4M8Lzn+JPMBoK+4v
> 				6ZqMcax30i5ng4K6QP1BGhEs0VyDL+GEK4FkhK8=
> 				) ; ZSK; alg = RSASHA256; key id = 2619
> lancaster.		86399 IN RRSIG DNSKEY 8 1 172800 (
> 				20171103114201 20170904114201 2619 lancaster.
> 				bVueuY6RH4GrmNEl1ymnjMCpbOc3gphsZhE17QWBwRTH
> 				fUk2twG2VQY5ISl61lKrh9FHw7cw1DHrOTnVbaGM+seU
> 				QUcdNk4u1VtOIWe1w4+QvfP0mCZy2ZkxUlXU9E4NM7S5
> 				rtn633MJQqXRxg2bAqzZ8u+i5ywg/mqwsYwwTwJT+peW
> 				qv/ZdsTpXUymHjrSPQ64VxFtg7UVKkNVUaICkY4bY0B5
> 				31Xrotzr1VP/p0Ae+nqs47LojeBMs2uztMQydVRsuzP9
> 				U3C4gx5TzVEZ6kzpm50fYz4P+ZDZYSqV7FX/9RawAjf5
> 				AJU0rfSdhx2fNNRomlZtdRlbvGsJCqJ5Xw== )
> lancaster.		86399 IN RRSIG DNSKEY 8 1 172800 (
> 				20171103114201 20170904114201 11492 lancaster.
> 				r0XGqO0QrO1cyhtgCI0WYhlGi2Df5XO+AxPUeyvTadCU
> 				Z1C2zQxbBg/Flb6764ecyg6qkPp3iWXINyedyy3+E1wt
> 				IcXokGzIhdRwY8o1rYrF/6Y5mEOrc4tiO44Lo0jzi1CK
> 				rwUmdfQsCyzORka/A0i4atpQ5GqOtqFYAKF/7+n8A9wV
> 				WlXmvthbzT8h/cNaGUEKiKiqNj2k9POXx7m0YKAwLIf/
> 				bDLt36wrcThmKwpCr4bO1ZJ+cjsKTdGrRkjV7tTcVob+
> 				+X9uWrYihc7iuESGvoUK2/daG9p24xGAo3GbXHnHfppi
> 				La+V5kTWY/XuPSSerNzjbUVsHASd7tYVxw== )
> 
> ;; Query time: 31 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Sep 04 15:10:07 CEST 2017
> ;; MSG SIZE  rcvd: 1736
> 



More information about the discuss mailing list