[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Roland Dobbins rdobbins at arbor.net
Sat Sep 13 10:24:22 UTC 2014

On Sep 13, 2014, at 4:37 PM, Franck Martin <fmartin at linkedin.com> wrote:

> My understanding is that UDP fragmentation is something frown upon in IPv4 and even more on IPv6 (because of processing power needed, and security concerns)?

No.  IP fragmentation is a normal part of TCP/IP communications across the Internet.  It isn't something to actively wish for, but it's perfectly normal.

> -limit size to <1500? on both IPv4 and IPv6?


> -allow UDP fragmentation on IPv4 and IPv6, how securely?

Yes, allow it; there's no security issue.  This is a myth originating with clueless vendors in the mid-1990s, and propagated today Confused Information Systems Security Professionals (CISSPs) and their ilk.

> Any good documentation, pointers?

Slide 153 of this deck:


Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140913/364e9f06/attachment.sig>

More information about the dns-operations mailing list