| Internet-Draft | DNS over IPv6 Best Practices | May 2024 |
| Hinden & Krishnan | Expires 4 November 2024 | [Page] |
This document describes an approach to how Domain Name Protocol (DNS) should be carried over IPv6. There have been some operational issues identified in carrying DNS packets over IPv6 and this draft proposes solutions to address them. A summary of what is proposed is to limit IPv6 DNS responses over UDP to be 1280 octets and use TCP or QUIC for anything larger.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 November 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document describes an approach to how the Domain Name Protocol (DNS) should be carried over IPv6 [RFC8200]. There have been some operatonal issues identified in carrying DNS packets over IPv6 and this draft proposes solutions to address them.¶
The IPv6 protocol requires a minimum link MTU of 1280 octets. From Section 5 "Packet Size Issues" of RFC8200:¶
Using Path MTU Discovery and IPv6 fragmentation larger packets may be sent. However, there is operational experience that seems to indicate that sending large DNS over UDP over IPv6 packets results in high loss rates.¶
Most modern transport protocols like TCP [TCP] and [QUIC] include packet segmentation techniques that allow them to send larger data streams over IPv6.¶
A recent dnsop working group document titled "IP Fragmentation Avoidance in DNS over UDP" [I-D.ietf-dnsop-avoid-fragmentation] also describes the issue, and recommends as best current practice to disable IPv6 fragmentation for sending DNS packets over IPv6. Specifically:¶
This document is aligned with the recommendation in [I-D.ietf-dnsop-avoid-fragmentation], but focuses on DNS over IPv6, and also recommends and provides additional details on running DNS over TCP or QUIC.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The Domain Name System was originally defined in [RFC1034] and [RFC1035]. It was designed to be able to run over different transport protocols, including UDP, and TCP. It has also recently been extended to be able to run over QUIC [RFC9250]. These transport protocols can be run over IPv4 or IPv6.¶
When DNS was originally designed, the size of the DNS packets carried over UDP was limited to 512 bytes as defined in Section 2.3.4. of [RFC1035]. Longer messages were truncated and the Truncation (TC) bit was set indicating the response is incomplete so that the client can retry with TCP.¶
With this original behavior UDP over IPv6 would not exceed the IPv6 link MTU and hence would not present operational issues due to fragmentation. When DNSSEC was introduced, several responses were too small to fit into this 512 byte limit for UDP and hence resulted in TCP connections which impacted the scalability of the DNS servers. [RFC6891] allowed the requestors to specify larger UDP message sizes that they are able to handle but the sizes specified by the requestor might exceed the Path MTU.¶
DNS over IPv6 is defined to run over UDP, a very simple transport protocol, or more capable transport protocols like TCP or QUIC. UDP only provides for source and destination ports, a length field, and simple checksum. It is connectionless. Transport protocols like TCP and UDP provide additional features like packet segmentation, reliability, error correction, and connection state.¶
DNS over UDP over IPv6 works fine with small packet sizes, but becomes less reliable with larger packet sizes, especially in cases that require IPv6 datagram fragmentation.¶
DNS over TCP/QUIC over IPv6 will work fine with all packet sizes. The downside of running DNS over a stateful protocol such as TCP or QUIC is that this will require more resources on the DNS server and potentially affect scalability. This might be a reasonable tradeoff in case of servers that need to send larger DNS response packets.¶
It is recommended to limit packet sizes of DNS over UDP over IPv6 to 1280 octets. This avoids any need for IPv6 fragmentation or Path MTU Discovery. This should be very reliable.¶
Many (if not most) DNS queries and responses will fit with this packet size limit and hence can be sent over UDP. Larger DNS packets SHOULD not be sent over UDP, instead they SHOULD be sent over TCP or QUIC as described in the next section.¶
This recommendation is consistent with "UDP Usage Guidelines" [RFC8085] that makes the following recommendation when effective PMTU/PLPMTUD in not supported (as it is potentially the case in Internet-wide DNS operations):¶
When larger DNS packets need to be carried, it is recommended to run DNS over TCP or QUIC. These protocols handle segmentation and will reliably adjust their segment size for different link and path MTU values. In this regard they work much more reliably than using UDP with IPv6 fragmentation.¶
Section 4.2.2. of [RFC1035] describes the of TCP for carrying DNS messages. [RFC9250] describes how to use DNS over QUIC in order to provide transport confidentiality. Operation requirements for DNS over TCP are described in [RFC9210]¶
There are no actions required for IANA defined in this document.¶
Switching from UDP to TCP/QUIC for large responses means that the DNS server needs to maintain additional state for each query that was received over TCP/QUIC. This will consume additional resources on the servers and impact the scalability of the DNS system. It may also leave the servers vulnerable to DoS attacks.¶
Geoff Huston discussed the operational issues in his article "IPv6, DNS, and truncation in UDP" IPv6" [HUSTON] and Jared Mauch brought up the issues to the 6MAN working group.¶
Helpful comments were received from Warren Kumari, and other members of the V6OPS working group.¶
draft-hinden-ipv6-v6ops-00, 2024-May-02:¶