
DNS Flag Day 2020: October 1 - throw0101a
https://dnsflagday.net/2020/
======
throw0101a
TL; DR:

> _If you are an authoritative DNS server operator, what you should do to help
> with these issues is ensure that your DNS servers can answer DNS queries
> over TCP (port 53). Check your firewall(s) as well, as some of them block
> TCP /53._

> _You should also configure your servers to negotiate an EDNS buffer size
> that will not cause fragmentation. The value recommended here is 1232
> bytes._

> _Authoritative DNS servers MUST NOT send answers larger than the requested
> EDNS buffer size!_

ISC (makers of BIND):

> _For DNS Flag Day 2020, the idea is the same: make the Internet a better
> place through a coordinated effort across participating DNS implementers,
> vendors, and operators. This time, however, the target might seem not
> directly related to DNS: IP fragmentation. The truth is that DNS is one of
> the few prominent users of IP fragmentation. When DNS messages are
> transferred between the DNS server and a DNS client over UDP, they can
> exceed the Maximum Transfer Unit (MTU) on any part of the path between the
> two endpoints. The MTU might vary between any two interconnects; while the
> standard MTU of Ethernet is 1500, the unit size is effectively reduced by
> encapsulation into different protocols (the most basic example would be
> VPN). When the MTU is exceeded, the IP packet gets fragmented (split into
> more parts) and reassembled._

* [https://www.isc.org/blogs/dns-flag-day-2020/](https://www.isc.org/blogs/dns-flag-day-2020/)

So please make sure your DNS servers (authoritative, recursive, stub) can
handle UDP up to 1232 bytes, and also are able to handle queries and answers
over TCP.

