[dns-operations] Some DNSSEC trivia

Florian Weimer fweimer at bfk.de
Wed Jan 9 09:20:49 UTC 2008

* Lutz Donnerhacke:

> * Mark Andrews wrote:
>> 		Idiots with firewalls.
>> 	* respond to queries from port 53.
>> 	* respond to queries from well know UDP malware source ports.
> Please add "4096 Byte EDNS0 UDP Queries".

As MUST or MUST NOT?  It's not clear to me if large UDP packet support
beyond the de-facto Internet MTU is a good idea due to the traffic
amplification issue.

I'd rather see that servers respond to 53/TCP in all cases.  That way,
a resolver which detects that it's under a spoofing attack can fall
back to TCP, hopefully relying on the somewhat stronger TCP sequence

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list