DNS over IPv6 Best Practices

This document describes an approach to how the Domain Name Protocol (DNS) should be carried over IPv6 . There have been some operatonal issues identified in carrying DNS packets over IPv6 and this draft proposes solutions to address them. The IPv6 protocol requires a minimum link MTU of 1280 octets. From Section 5 "Packet Size Issues" of RFC8200:

IPv6 requires that every link in the Internet have an MTU of 1280 octets or greater. This is known as the IPv6 minimum link MTU. On any link that cannot convey a 1280-octet packet in one piece, link- specific fragmentation and reassembly must be provided at a layer below IPv6.

Using Path MTU Discovery and IPv6 fragmentation larger packets may be sent. However, there is operational experience that seems to indicate that sending large DNS over UDP over IPv6 packets results in high loss rates. Most modern transport protocols like TCP [TCP] and [QUIC] include packet segmentation techniques that allow them to send larger data streams over IPv6. A recent dnsop working group document titled "IP Fragmentation Avoidance in DNS over UDP" also describes the issue, and recommends as best current practice to disable IPv6 fragmentation for sending DNS packets over IPv6. Specifically:

3.1. Recommendations for UDP responders
R1. UDP responders SHOULD NOT use IPv6 fragmentation [RFC8200].

This document is aligned with the recommendation in , but focuses on DNS over IPv6, and also recommends and provides additional details on running DNS over TCP or QUIC.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The Domain Name System was originally defined in and . It was designed to be able to run over different transport protocols, including UDP, and TCP. It has also recently been extended to be able to run over QUIC . These transport protocols can be run over IPv4 or IPv6. When DNS was originally designed, the size of the DNS packets carried over UDP was limited to 512 bytes as defined in Section 2.3.4. of . Longer messages were truncated and the Truncation (TC) bit was set indicating the response is incomplete so that the client can retry with TCP. With this original behavior UDP over IPv6 would not exceed the IPv6 link MTU and hence would not present operational issues due to fragmentation. When DNSSEC was introduced, several responses were too small to fit into this 512 byte limit for UDP and hence resulted in TCP connections which impacted the scalability of the DNS servers. allowed the requestors to specify larger UDP message sizes that they are able to handle but the sizes specified by the requestor might exceed the Path MTU.

DNS over IPv6 is defined to run over UDP, a very simple transport protocol, or more capable transport protocols like TCP or QUIC. UDP only provides for source and destination ports, a length field, and simple checksum. It is connectionless. Transport protocols like TCP and UDP provide additional features like packet segmentation, reliability, error correction, and connection state. DNS over UDP over IPv6 works fine with small packet sizes, but becomes less reliable with larger packet sizes, especially in cases that require IPv6 datagram fragmentation. DNS over TCP/QUIC over IPv6 will work fine with all packet sizes. The downside of running DNS over a stateful protocol such as TCP or QUIC is that this will require more resources on the DNS server and potentially affect scalability. This might be a reasonable tradeoff in case of servers that need to send larger DNS response packets.

It is recommended to limit packet sizes of DNS over UDP over IPv6 to 1280 octets. This avoids any need for IPv6 fragmentation or Path MTU Discovery. This should be very reliable. Many (if not most) DNS queries and responses will fit with this packet size limit and hence can be sent over UDP. Larger DNS packets SHOULD not be sent over UDP, instead they SHOULD be sent over TCP or QUIC as described in the next section. This recommendation is consistent with "UDP Usage Guidelines" that makes the following recommendation when effective PMTU/PLPMTUD in not supported (as it is potentially the case in Internet-wide DNS operations):

Applications that do not follow the recommendation to do PMTU/PLPMTUD discovery SHOULD still avoid sending UDP datagrams that would result in IP packets that exceed the path MTU. Because the actual path MTU is unknown, such applications SHOULD fall back to sending messages that are shorter than the default effective MTU for sending (EMTU_S in [RFC1122]). For IPv4, EMTU_S is the smaller of 576 bytes and the first-hop MTU [RFC1122]. For IPv6, EMTU_S is 1280 bytes [RFC2460].

When larger DNS packets need to be carried, it is recommended to run DNS over TCP or QUIC. These protocols handle segmentation and will reliably adjust their segment size for different link and path MTU values. In this regard they work much more reliably than using UDP with IPv6 fragmentation. Section 4.2.2. of describes the of TCP for carrying DNS messages. describes how to use DNS over QUIC in order to provide transport confidentiality. Operation requirements for DNS over TCP are described in

There are no actions required for IANA defined in this document.

Switching from UDP to TCP/QUIC for large responses means that the DNS server needs to maintain additional state for each query that was received over TCP/QUIC. This will consume additional resources on the servers and impact the scalability of the DNS system. It may also leave the servers vulnerable to DoS attacks.

Geoff Huston discussed the operational issues in his article "IPv6, DNS, and truncation in UDP" IPv6" and Jared Mauch brought up the issues to the 6MAN working group. Helpful comments were received from Warren Kumari, and other members of the V6OPS working group.

draft-hinden-ipv6-v6ops-00, 2024-May-02:

Initial draft.