[dns-operations] DNS deluge for x.p.ctrc.cc

[Gadi Evron]

Mark Andrews wrote:
> 	The current RFC's were only finalised mid last year.  There is
> 	a small amount of deployment happening.  Did you really expect
> 	wide spread deployment immediately?

No, I expected it 10 years ago, but that's just me. :)

>>How large would the packets for these applications be? Surely if they 
>>are, say, 1024, it's better than 4 K's.
>>:)
> 
> 
> 	For DNSSEC you need > 2048.  For IPv6 only you could get away
> 	with 1500.  For DNSSEC + IPv6 you start to go close to 4k.

So I think I will be fine with 512 nowadays, and Rob was right?
As the people who will actually apply the band-aid are *mostly* also
people who will apply a better solution when the time comes, I honestly
don't see why his suggestion is such a bad thing when this is NOW itw?

>>Also, wasn't the problem packet fragmentation? What am I missing?
> 
> 
> 	The basic problem is that UDP it too easy to spoof and there
> 	are still way too many networks that don't do source address
> 	filtering of the packets leaving their networks.
> 
> 	DNS just happens to be a wide spread protocol based on UDP
> 	where the responses are bigger than the queries.  Even if
> 	you block all the non-local recursive queries there are
> 	still enough authoritative servers with big RRsets that you
> 	can query for.

But one can *limit* the problem?