Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.
Please consider to setsockopt(IPV6_USE_MIN_MTU) to IPv6 UDP socket as per draft-andrews-dnsext-udp-fragmentation. Almost all DNS servers (BIND, Unbound, NSD, ... ) set this option.
PMTUD on DNS/UDP is actually harmful because it makes many timeouts and resends if there is small MTU link (e.g. v6 over v4 tunnel) between server and clients.
Designs
Child items
...
Show closed items
Linked items
0
Link issues together to show that they're related.
Learn more.
The draft (draft-andrews-dnsext-udp-fragmentation) is explaining why IPV6_USE_MIN_MTU should be set to IPv6 UDP socket by default (and many DNS implementation do it).
If the host is completely dedicated to (knot)-DNS, it's ok to set MTU at operating system level. --- Users (including me) usually want to configure packet size per application.
There has been DNS cache poisoning attacks taking advantage of IP fragmentation. Forcing the fragmentation sounds a bit dangerous. I also hope that some of the IPv6 issues the draft was addressing had already been resolved — the draft was written in 2012 (and expired the same year).
I have just a little operational experience with IPv6. I'll ask some more people about their opinion on this.
My conclusion is that forcing the fragmentation can actually cause more harm. So I don't want to se this option by default for all sockets. We could add a compile-time or run-time option for this purpose. However I think a better solution would be to add a separate config option for IPv6 EDNS buffer size as suggested by Anand.
I also wanted to check the implementation: It doesn't work with my current 4.5.7 Linux kernel. I'll try on FreeBSDs soon.
I wrote a patch to disable PMTUD for UDP socket for both IPv4 and IPv6 (Linux does pmtud on UDP/IPv4 by default). This patch includes extra bonus for mitigating DNS fragmentation attack for IPv4 UDP, by using Linux's newer sockopt IP_PMTUDISC_OMIT. This patch always disables pmtud but feel free to modify this patch to make the feature optional.
On concern about DNS fragmentation attack: IPv6-ID field is 32bit. If IPv6-ID is unpredictable that is same security level to normal TXID+port. I know older platform didn't ramdomise IPv6-ID (as Shulman pointed out), but secure (unpredictable IPv6-ID) implementation is already widely used. For example many of current installed Linux distros includes Linux > 3.1 which is secure[RFC7739]. RHEL(CentOS) 5/6 is based on older kernel, but Redhad has backported randomisation patch to their RHEL kernel [1]. At least FreeBSD 9.0 is later is also secure [RFC7739], and 9.2 and older is already end of support.
Is it correct to set IPV6_PMTUDISC_OMIT to IPv6 sockets? My understanding is that IPV6_PMTUDISC_OMIT disables PMTUD for IPv6 but PMTUD is mandatory for IPv6. We don't need to implement Shulman attack mitigation for IPv6 fragment if we are using Linux 3.1 / FreeBSD 9 or later.
In my patch, strategies to prevent PMTUD issues addressed in draft-andrews-dnsext-udp-fragmentation
differ between IPv4 and IPv6:
For IPv4 just ensure all outgoing UDP packet to DF=0 by
setsockopt(IP_PMTUDISC_OMIT) (Linux 3.15 or later) -- includes Shulman attack mitigation described below
setsockopt(IP_PMTUDISC_DONT) (Linux < 3.15)
setsockopt(IP_DONTFRAG) (BSDs and others)
For IPv6 ensure outgoing IPv6 packet size smaller than and equal to 1280.
Strategies to mitigate Shulman fragmentation attack also differ between IPv4 and IPv6:
For IPv4 ensure that packet fragmentation occurs if and only if fragmentation is needed -- Setting all outgoing UDP packet to DF=0 and not applying Path MTU information (forged possibly) with setsockopt(IP_PMTUDISC_OMIT) (Linux 3.15 or later only)
For IPv6 just recommend users to install secure kernel (Linux > 3.1, FreeBSD > 9) which randomise Identification field in IPv6 packet (or possibly, keep DNS UDP reply packet size <= 1280). In contrary to IPv4, just ignoring PMTU information (IPV6_PMTUDISC_OMIT) is not acceptable solution because PMTUD is mandatory for IPv6. Furthermore use of IPV6_PMTUDISC_OMIT is pointless since Linux 3.15 later implements Identification field randomisation.