Maintained by: NLnet Labs

[Unbound-users] problems resolving /

Florian Weimer
Tue Jun 21 11:20:27 CEST 2011

* W. C. A. Wijngaards:

> Commonly, people block ICMP, and over IPv6 this blocks fragments because
> ICMP PMTU Discovery ICMP messages need to traverse the firewall.  Some
> firewalls do not support UDP-connection-tracking with fragmentation on
> IPv6 (such as pf).  These are random IPv6 hints ... :-)

For IPv6, the DNS server must fragment to about 1200 bytes per packet,
or cap EDNS0 buffer sizes at about 1150 bytes.  I'm not sure how many
servers get this right.  I'm not even sure if there's a suitable kernel
interface to achieve that.

The equivalent problem in IPv4 land has been solved, although there are
some DNS hosts who still do not get it right.  But IPv4 is much, much
easier because most systems can just send DF=0 packets.

Florian Weimer                <fweimer at>
BFK edv-consulting GmbH
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99