DNS and UDP Fragmentation

IPv6 has changed the dynamics of UDP, Path MTU Discovery (PMTUD) and IP fragmentation. With IPv4 DNS/UDP packets were fragmented by the network and no PMTUD was performed. With IPv6 fragmentation occurs in the sending node and PMTUD is allways performed unless the IPv6 packet is fragmented by the sending node using the minimum IPv6 MTU. DNS/UDP does not work well when PMTUD is performed. If the Packet Too Big (PTB) / Need Fragmentation ICMP messages are not received there is no feedback path in DNS to reduce the size of the fragments like there is with TCP. Additionally there is no automatic retransmission of UDP packets like there is with TCP in response to a PTB message. The sender needs to send the request after timing out. Not only is this process slow, the resulting traffic patterns can be confused with other common sources of error, resulting from badly configured firewalls, leading to inappropriate remedial action being taken. This document recommends that all DNS/UDP messages are sent such that they do not trigger PMTUD.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

There are a number of IP stacks that enable PMTUD for all IP packets by default against the advice of . On those IP stacks it is necessary for the application to disable PMTUD on a per socket/packet basis or for the operator to disable it globally if there is no per socket/packet control.

It was realised that IPv6 changed the way PMTUD happened and that there were applications, like DNS, that would not work well with PMTUD. For those applications a socket option called IPV6_USE_MIN_MTU was developed which tells the IPv6 stack to fragment packets at the minimum IPv6 MTU rather than use PMTUD to find the actual PMTU. It is RECOMMENDED that IPV6_USE_MIN_MTU be set to 1 (one) when sending DNS/UDP messages over IPv6. This option can be set at the socket level or it can be set on a per UDP datagram basis. If the IPv6 stack does not support IPV6_USE_MIN_MTU, then steps should be taken to prevent PMTUD occuring. These include, but are not limited to, setting the MTU of the interface the packets are being sent over to the minimum IPv6 MTU (1280 bytes), or restricing DNS/UDP packets to no more than 1280 bytes including IPv6 headers. It should be noted that even with IPV6_USE_MIN_MTU set to one that a PTB message may still be received which requires a IPv6 to add a Fragmentation header to subsequent packets. There is currently no way to avoid this, without using raw sockets, as there is no way for a application to request that a Fragmentation header be added to a packet. however has some proposed methods.

No IANA Considerations.

Failure to prevent PMTUD can lead to denial of service for DNS clients. Firewalls are often configured to block fragmented IP packets as early IP stacks had fragmentation re-assembly bugs. These bugs were exploited to perform a number of denial of service and other attacks cira 1999. Such blocks should be relaxed to permit fragmented UDP packets.