[dns-operations] Some DNSSEC trivia
Florian Weimer
fweimer at bfk.de
Wed Jan 9 09:20:49 UTC 2008
* Lutz Donnerhacke:
> * Mark Andrews wrote:
>> Idiots with firewalls.
>>
>> * respond to queries from port 53.
>> * respond to queries from well know UDP malware source ports.
>
> Please add "4096 Byte EDNS0 UDP Queries".
As MUST or MUST NOT? It's not clear to me if large UDP packet support
beyond the de-facto Internet MTU is a good idea due to the traffic
amplification issue.
I'd rather see that servers respond to 53/TCP in all cases. That way,
a resolver which detects that it's under a spoofing attack can fall
back to TCP, hopefully relying on the somewhat stronger TCP sequence
numbers.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations
mailing list