[dns-operations] dns-operations Digest, Vol 92, Issue 13

Yasuhiro Orange Morishita / 森下泰宏 yasuhiro at jprs.co.jp
Tue Sep 10 17:02:34 UTC 2013


Paul-san,

> for unsigned responses, i think a v6 max-udp-size of 1220 and a v4
> max-udp-size of 512 is what's called for.

I believe typical datalinks of MTU=576 are (were) X.25 and SLIP
(Of course, it's not RRL's one).  And I believe both links are deprecated.

And I know the IP specification defines the minimal MTU size to 576.
So, we may need a very short RFC for updating the definition of MTU,
in RFC 791.

-- Orange

From: Paul Vixie <paul at redbarn.org>
Date: Mon, 09 Sep 2013 07:31:42 -0700

> ...
> 
> Yasuhiro Orange Morishita / 森下泰宏 wrote:
> > Paul-san, and folks,
> >
> > Now we (including me) have known the dangers and limitations,
> > so should we set max-udp-size to 1220 on every authoritative servers?
> 
> for unsigned responses, i think a v6 max-udp-size of 1220 and a v4 max-udp-size of 512 is what's called for. i've not seen an explanation of how dnssec-covered data can be poisoned, even with fragment attacks. orange, can you write RFC 6891-bis?
> 
> the messaging that would go out with this is, everybody needs to sign their dns data, and everybody needs to validate, and if you're planning to send large responses then your authority servers must be v6 reachable, and your v4 performance will be low due to tcp.
> 
> vixie
> 



More information about the dns-operations mailing list