DNS, fragmentation, and IPv6 extension headers
Fernando Gont <fernando <at> gont.com.ar>
2014-07-28 12:24:59 GMT
(Apologies if this has been debated to death already).
At the last IEPG meeting we presented some results regarding the
filtering of packets that employ IPv6 extension headers (please see:
The packet drop rates range from 10% to over 50%, depending on the
dataset (FWIW, these packets drops have nothing to do with DNS-specific
packet-drops caused by sloppy firewalls or the like).
This essentially raises the question of "What's the plan for
transporting DNS queries/responses in IPv6?"
At different venues (including the IETF), I've received/listened_to
different opinions. Quite a few folks usually argue "oh, that's simple:
we'll use TCP", while others tend to argue that "one should be careful
when thinking about relying on TCP for DNS queries/responses" (e.g. see
While this issue/question may be currently masqueraded by the fact that
we still have IPv4, I wonder what's "the plan" for the IPv6 case (at
some point, we'll have to rely on whatever such plan is).
If the answer is "fall-back to TCP if UDP doesn't work", my next
question would be "does popular DNS server software implement
mitigations for TCP-based attacks?" (zero-windows, FIN-WAIT-X flooding,