nanog mailing list archives

RE: v6 DNSSEC fail, was Buying IPv4 blocks

From: "Naslund, Steve" <SNaslund () medline com>
Date: Mon, 8 Oct 2018 03:47:25 +0000

On 10/5/18 1:53 AM, Mark Andrews wrote:
If you don’t want fragmented IPv6 UDP responses use

      server ::/0 { edns-udp-size 1232; };

That’s 1280 - IPv6 header - UDP header.  Anything bigger than that can 
theoretically be fragmented.  You will then have to deal with PMTUD 
failures as the servers switch over to TCP.


That is true provided that you accept that some people may not be able to respond without the packet getting fragmented 
due to tunneling or a million other reasons they may not support that MTU.   Nonstandard MTU has always and seems will 
continue to be problematic.  It all really began with tunneling which by its nature lowers the MTU available to the 
application.  Firewalls really have to just deal with it and do the re-assembly they need to.  It does create 
tremendous performance issues for these devices at high bandwidth.  Bottom line is fragmentation sucks and V6 does not 
make it any better.

Steven Naslund
Chicago IL

Current thread:

Re: Buying IPv4 blocks, (continued)
- - - Re: Buying IPv4 blocks Ross Tajvar (Oct 04)
    - Re: Buying IPv4 blocks Matt Harris (Oct 04)
    - Re: Buying IPv4 blocks John Levine (Oct 04)
    - Re: Buying IPv4 blocks Marco Davids via NANOG (Oct 04)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks John Levine (Oct 04)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Tinka (Oct 04)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Andrews (Oct 04)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 04)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Andrews (Oct 05)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 05)
    - RE: v6 DNSSEC fail, was Buying IPv4 blocks Naslund, Steve (Oct 07)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 07)
    - Re: v6 DNSSEC fail, was Buying IPv4 blocks Bryce Wilson (Oct 09)