auth: lower udp-truncation-threshold by default to 1232

diff --git a/docs/settings.rst b/docs/settings.rst
index 4bd95bcede62ff266320c4e956b04a824f90fef1..2e7c7ec8ffc54908ed1268b0d71221c5d0dbea7d 100644 (file)
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1535,16 +1535,18 @@ IP address of incoming notification proxy
 ----------------------------
 
 -  Integer
--  Default: 1680
+-  Default: 1232
 
 EDNS0 allows for large UDP response datagrams, which can potentially
 raise performance. Large responses however also have downsides in terms
-of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the
-truncation limit was set at 1680 bytes, regardless of EDNS0 buffer size
-indications from the client. Beyond 3.3, this setting makes our
-truncation limit configurable. Maximum value is 65535, but values above
+of reflection attacks. Maximum value is 65535, but values above
 4096 should probably not be attempted.
 
+.. note:: Why 1232?
+
+  1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet.
+  IPv6 has a minumum MTU of 1280 bytes (:rfc:`RFC 8200, section 5 <8200#section-5>`), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response.
+
 .. _setting-version-string:
 
 ``version-string``

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index b0999fa3b60fccd363e70f9456a52391ade4521a..4a72e67398cec5daf11d1b1e9c0e9729a953b071 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -116,7 +116,7 @@ void declareArguments()
   ::arg().set("receiver-threads","Default number of receiver threads to start")="1";
   ::arg().set("queue-limit","Maximum number of milliseconds to queue a query")="1500"; 
   ::arg().set("resolver","Use this resolver for ALIAS and the internal stub resolver")="no";
-  ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680";
+  ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1232";
   ::arg().set("disable-tcp","Do not listen to TCP queries")="no";
   
   ::arg().set("config-name","Name of this virtual configuration - will rename the binary image")="";

diff --git a/regression-tests.nobackend/edns1/test-edns.py b/regression-tests.nobackend/edns1/test-edns.py
index b71d1a67949b2c15e3aee469d20d017b60bce3fb..9d6332ddf4f5265294c678adf8e05ebce499fadf 100755 (executable)
--- a/regression-tests.nobackend/edns1/test-edns.py
+++ b/regression-tests.nobackend/edns1/test-edns.py
@@ -3,6 +3,8 @@
 from __future__ import print_function
 import socket
 
+# TODO use dnspython to parse/check
+
 MESSAGE=b"\xaf\x03\x00\x20\x00\x01\x00\x00\x00\x00\x00\x01\x04\x75\x6e\x69\x74\x04\x74\x65\x73\x74\x00\x00\x06\x00\x01\x00\x00\x29\x10\x00\x00\x64\x00\x00\x00\x10\x00\x0a\x00\x08\x39\x70\xad\xaf\xca\xa8\x96\xca\x00\x64\x00\x00"
 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 
@@ -12,7 +14,7 @@ sock.sendto(MESSAGE, ("127.0.0.1", 5501))
 data, addr = sock.recvfrom(512)
 
 # make sure data is correct
-EXPECT=b"\xaf\x03\x84\x00\x00\x01\x00\x00\x00\x00\x00\x01\x04\x75\x6e\x69\x74\x04\x74\x65\x73\x74\x00\x00\x06\x00\x01\x00\x00\x29\x06\x90\x01\x00\x00\x00\x00\x00"
+EXPECT=b"\xaf\x03\x84\x00\x00\x01\x00\x00\x00\x00\x00\x01\x04\x75\x6e\x69\x74\x04\x74\x65\x73\x74\x00\x00\x06\x00\x01\x00\x00\x29\x04\xd0\x01\x00\x00\x00\x00\x00"
 
 if (data != EXPECT):
   print("Invalid EDNS response, expected extended RCODE=BADVERS, no SOA, and OPT version 0")