656211 - Nameservers replying with fragmented UDP packets

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: NetOps, task)

Description

[Ravi Pina [:ravi]]

Attachment: dig @ns1.mozilla.org versioncheck.addons.mozilla.org A (+DNSSEC)?

A report came into abuse@ reporting 63.245.212.5 and 63.245.208.161 were sending UDP fragmented DNS replies to hosts in the 203.121.0.0 - 203.121.31.255 range.

This appears to be consistent with revised draft to RFC 1035[1],    
Bigger Domain Name System UDP Replies, and specifically appears to be a byproduct of DNSSEC adding a lot of additional data in the response.

I have attached a packet capture from my client with a DNSSEC query and a non-DNSSEC query of versioncheck.addons.mozilla.org which is one of the observed hosts that resulted in a UDP FRAG in a sample capture of ns1.mozilla.org.  It is clear from the capture the DNSSEC reply is fragmented while the non is not.

[1] http://tools.ietf.org/html/draft-ietf-dnsind-udp-size-02

Comment 1

[Ravi Pina [:ravi]]

Additionally the reply is larger because we are signing with 2 keys.  We will eventually only sign with 1 key which should reduce the reply size, but we are almost certainly not going to be the only site which does this.  Relaxing firewall filters to permit DNS UDP fragments is suggested since IPv6 will also introduce possible UDP fragments.

Keeping this bug open for 24 hours.

Comment 2

[matthew zeier [:mrz]]

time's up!