[dns-operations] dns-operations Digest, Vol 92, Issue 13

Paul Vixie paul at redbarn.org
Mon Sep 9 14:31:42 UTC 2013


Yasuhiro Orange Morishita / 森下泰宏 wrote:
> Paul-san, and folks,
> Now we (including me) have known the dangers and limitations,
> so should we set max-udp-size to 1220 on every authoritative servers?

for unsigned responses, i think a v6 max-udp-size of 1220 and a v4 max-udp-size of 512 is what's called for. i've not seen an explanation of how dnssec-covered data can be poisoned, even with fragment attacks. orange, can you write RFC 6891-bis?

the messaging that would go out with this is, everybody needs to sign their dns data, and everybody needs to validate, and if you're planning to send large responses then your authority servers must be v6 reachable, and your v4 performance will be low due to tcp.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130909/1ba9ff38/attachment.html>

More information about the dns-operations mailing list