> For IPv4, you can just send a 1500 octet DNS reply and it will be fragmented as needed
As mentioned in theory yes, in practice most hardware base IPv4 routers don't actually implement fragmentation anymore.
> You can always fragment at 1280 but many firewall will drop fragmented packets, also because IPv6 extension header parsing is complicated.
Many of the same firewalls drop fragmented DNS packets as well because of cache poisoning attacks and other issues.
All that isn't to say people haven't tried/used fragmentation for UDP DNS packets but rather it's historically never worked reliably or securely anyways which is why all of the current BCPs RFCs are to avoid it at all costs.
All of that is why EDNS0 specified the min max to be 1220 bytes and dnsflagday last year focused on 1232 of payload bytes instead of 1500 (minus change).
As mentioned in theory yes, in practice most hardware base IPv4 routers don't actually implement fragmentation anymore.
> You can always fragment at 1280 but many firewall will drop fragmented packets, also because IPv6 extension header parsing is complicated.
Many of the same firewalls drop fragmented DNS packets as well because of cache poisoning attacks and other issues.
All that isn't to say people haven't tried/used fragmentation for UDP DNS packets but rather it's historically never worked reliably or securely anyways which is why all of the current BCPs RFCs are to avoid it at all costs.
All of that is why EDNS0 specified the min max to be 1220 bytes and dnsflagday last year focused on 1232 of payload bytes instead of 1500 (minus change).