[dns-operations] DNS deluge for x.p.ctrc.cc
ge at linuxbox.org
Mon Feb 27 07:07:44 UTC 2006
Mark Andrews wrote:
> The current RFC's were only finalised mid last year. There is
> a small amount of deployment happening. Did you really expect
> wide spread deployment immediately?
No, I expected it 10 years ago, but that's just me. :)
>>How large would the packets for these applications be? Surely if they
>>are, say, 1024, it's better than 4 K's.
> For DNSSEC you need > 2048. For IPv6 only you could get away
> with 1500. For DNSSEC + IPv6 you start to go close to 4k.
So I think I will be fine with 512 nowadays, and Rob was right?
As the people who will actually apply the band-aid are *mostly* also
people who will apply a better solution when the time comes, I honestly
don't see why his suggestion is such a bad thing when this is NOW itw?
>>Also, wasn't the problem packet fragmentation? What am I missing?
> The basic problem is that UDP it too easy to spoof and there
> are still way too many networks that don't do source address
> filtering of the packets leaving their networks.
> DNS just happens to be a wide spread protocol based on UDP
> where the responses are bigger than the queries. Even if
> you block all the non-local recursive queries there are
> still enough authoritative servers with big RRsets that you
> can query for.
But one can *limit* the problem?
More information about the dns-operations