DNS and UDP Fragmentation
Internet Systems Consortium
950 Charter Street
Redwood City
CA
94063
US
marka@isc.org
This document provides advice to DNS developers about sending
DNS UDP messages and Path MTU Discovery.
IPv6 has changed the dynamics of UDP, Path MTU Discovery
(PMTUD) and IP fragmentation. With IPv4 DNS/UDP packets
were fragmented by the network and no PMTUD was performed.
With IPv6 fragmentation occurs in the sending node and PMTUD
is allways performed unless the IPv6 packet is fragmented by
the sending node using the minimum IPv6 MTU.
DNS/UDP does not work well when PMTUD is performed. If the
Packet Too Big (PTB) / Need Fragmentation ICMP messages are
not received there is no feedback path in DNS to reduce the
size of the fragments like there is with TCP.
Additionally there is no automatic retransmission of UDP
packets like there is with TCP in response to a PTB message.
The sender needs to send the request after timing out. Not
only is this process slow, the resulting traffic patterns
can be confused with other common sources of error, resulting
from badly configured firewalls, leading to inappropriate
remedial action being taken.
This document recommends that all DNS/UDP messages are sent
such that they do not trigger PMTUD.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in .
There are a number of IP stacks that enable PMTUD for all
IP packets by default against the advice of . On those IP stacks it is necessary
for the application to disable PMTUD on a per socket/packet
basis or for the operator to disable it globally if there
is no per socket/packet control.
It was realised that IPv6 changed the way PMTUD happened
and that there were applications, like DNS, that would not
work well with PMTUD. For those applications a socket
option called IPV6_USE_MIN_MTU was developed which tells the IPv6 stack to fragment
packets at the minimum IPv6 MTU rather than use PMTUD to find
the actual PMTU.
It is RECOMMENDED that IPV6_USE_MIN_MTU be set to 1 (one)
when sending DNS/UDP messages over IPv6. This option can
be set at the socket level or it can be set on a per UDP
datagram basis.
If the IPv6 stack does not support IPV6_USE_MIN_MTU, then
steps should be taken to prevent PMTUD occuring. These
include, but are not limited to, setting the MTU of the
interface the packets are being sent over to the minimum
IPv6 MTU (1280 bytes), or restricing DNS/UDP packets to
no more than 1280 bytes including IPv6 headers.
It should be noted that even with IPV6_USE_MIN_MTU set to
one that a PTB message may still be received which requires a IPv6 to add a
Fragmentation header to subsequent packets. There is
currently no way to avoid this, without using raw sockets,
as there is no way for a application to request that a
Fragmentation header be added to a packet. however
has some proposed methods.
Failure to prevent PMTUD can lead to denial of service for
DNS clients.
Firewalls are often configured to block fragmented IP packets
as early IP stacks had fragmentation re-assembly bugs.
These bugs were exploited to perform a number of denial of
service and other attacks cira 1999.
Such blocks should be relaxed to permit fragmented UDP
packets.
Path MTU Discovery
Key words for use in RFCs to Indicate Requirement Levels
Internet Protocol, Version 6 (IPv6) Specification
Advanced Sockets Application Program Interface (API) for IPv6
Forcing Fragmentation of IPv6 Packets