topic Re: dnssec and mtu size in Firewall and Security Management

dnssec and mtu size

Daniel_Kavan — Wed, 18 Oct 2023 15:13:02 GMT

Packet captures show we are missing the ecdns0 header. Has anyone had to raise their interface MTU size to accommodate for DNSSEC? Some one is suggesting to raise it to 4500. Has anyone had any issues with a MTU size of 4500 over copper (1GB/s) ? Meh, it looks like 1500 bytes is the max MTU for copper. Does R81.20 support jumbo frames with fiber? I assume so. Yeah, it looks like it and also if you bond interfaces together. I'm going to close this after reading other post on jumbo frames.

https://dnsinstitute.com/documentation/dnssec-guide/ch03s05.html#:~:text=You%20can%20use%20dig%20to%20verify%20that%20your,%2Bmultiline%20%3B%20%3C%3C%3E%3E%20DiG%209.10.0-P2%20%3C%3C%3E%3E%20%40192.168.1.7%20www.isc.org

Re: dnssec and mtu size

Chris_Atkinson — Wed, 18 Oct 2023 03:00:19 GMT

It's potentially only part of the equation depending on what your connected infrastructure and ISP line supports.

Refer also: sk92835: Large DNS packets (eDNS) are dropped by the gateway

Re: dnssec and mtu size

G_W_Albrecht — Wed, 18 Oct 2023 07:35:12 GMT

As sk92835 is completely EOL - what about currently supported versions ?

Re: dnssec and mtu size

Daniel_Kavan — Wed, 18 Oct 2023 14:28:42 GMT

I'm curious if a large MTU size like 4500 would have complications with IPSEC site to site VPN tunnels as well on R81.20.

Re: dnssec and mtu size

Daniel_Kavan — Wed, 18 Oct 2023 14:50:48 GMT

Thanks for the suggestion Chris, I had both of those setting in sk92835 already in check.

Re: dnssec and mtu size

G_W_Albrecht — Wed, 18 Oct 2023 15:23:51 GMT

See sk65264: What is Jumbo frame and MTU Maximum length:

jumbo frame MTU range is 1500-16,000

But this is depending on IF, see details in sk170533: "Failed to set MTU [XXXX] on interface" error and find the remark:

it is generally not recommended to set an MTU size of more than 9000

So 4500 should be possible if supported by the IFs used on the way to the internet. But best practice is to make MTU larger only in small steps until the issue is resolved.

Re: dnssec and mtu size

Daniel_Kavan — Wed, 18 Oct 2023 16:01:21 GMT

So, you can use jumbo frames over copper, 1 Gbps or you would need fiber? Assuming you set a copper interface to more that 1500, say 2500 to start then it automatically uses jumbo frame all the time and for every frame or just when needed? Or how/where do you enable jumbo frame support? So, leave MTU set to 1500 and enable jumbo frame support some where?

Re: dnssec and mtu size

G_W_Albrecht — Thu, 19 Oct 2023 08:33:11 GMT

Afaik Framesize will be changed as needed by the traffic. If MTU is set to 1500 you have no Jumbo frames. Did you not notice the IF types and values in sk170533 ?

sk98074: MTU and Fragmentation Issues in IPsec VPN

sk167357: MTU value mismatch after removing interface from bond

MTU is mostly discussed when using e.g. Path MTU Discovery Mode for cellular connections and small-band ISP connections. Fragmentation is the other half of the game...