CNAME and IPv6
Marco Moock
mm at dorfdsl.de
Thu May 30 06:07:27 UTC 2024
Am 30.05.2024 um 00:47:56 Uhr schrieb Peter:
> On Wed, May 29, 2024 at 12:20:09PM +0200, Matus UHLAR - fantomas
> wrote: ! > On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock
> wrote: ! > > rinetd manages 2 separate connections and should work
> with PMTUD. !
> ! On 28.05.24 22:17, Peter wrote:
> ! > I'm wondering how it would. The connections are TCP, the PMTU
> works ! > via ICMP6.
Please stop using ! as a quoting character, it will break line wrapping
when replying and create a mess in the mailing list.
> ! No, Path MTU discovery works with TCPv4 using ICMPv4 as well.
> ! (although it was/is quite common to block ICMP packets which can
> make it not ! work properly)
>
> That is a different matter, lots of people switch them off
> and things do still work, because we're in most cases allowed to
> defragment (firewalls do that) and refragment at any point on the
> way as needed.
That only applies if the router want to fragment it and if the DF bit
is NOT set by the sender.
> Blocking ICMPv4 a practise that is certainly annoying, but what
> can we do?
Telling those who do it that is is a really bad idea and don't
implement workarounds.
> ! > So I would assume, the ICMP "packet too big" message
> ! > reaches the host where rinetd runs, is swallowed by the kernel,
> and ! > the kernel sets the MTU in it's hostcache. Or something along
> that ! > line.
> !
> ! > The TCP traffic however gets forwarded by rinetd to the internal
> ! > appserver(s) - which never get the message that they should reduce
> ! > their MTU.
> !
> ! The data from one TCP connection are sent through another TCP
> connection, ! where both connections are separate with separate MTU
> and PMTUD.
>
> A new quintuple, then. Hm. Not sure why I was unhappy with that...
Didn't you say you never tried rinetd?
> one reason was probably that a webserver would not be able to know the
> client address.
That is indeed the case and logging will be much more complicated,
including banning with fail2ban.
--
Gruß
Marco
Send unsolicited bulk mail to 1717022876muell at cartoonies.org
More information about the bind-users
mailing list