[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Mark Andrews marka at isc.org
Sat Sep 13 11:58:17 UTC 2014


In message <5DD7F8BA-ADB7-4132-9672-7FE53174E307 at arbor.net>, Roland Dobbins wri
tes:
>
>
> On Sep 13, 2014, at 4:37 PM, Franck Martin <fmartin at linkedin.com> wrote:
>
> > My understanding is that UDP fragmentation is something frown upon in
> IPv4 and even more on IPv6 (because of processing power needed, and
> security concerns)?
>
> No.  IP fragmentation is a normal part of TCP/IP communications across
> the Internet.  It isn't something to actively wish for, but it's
> perfectly normal.
>
> > -limit size to <1500? on both IPv4 and IPv6?
>
> No.

But do force IPv6 to fragment at 1280.  This advoids PMTUD.

> > -allow UDP fragmentation on IPv4 and IPv6, how securely?
>
> Yes, allow it; there's no security issue.  This is a myth originating
> with clueless vendors in the mid-1990s, and propagated today Confused
> Information Systems Security Professionals (CISSPs) and their ilk.
>
> > Any good documentation, pointers?
>
> Slide 153 of this deck:
>
> <https://app.box.com/s/r7an1moswtc7ce58f8gg>
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>                    Equo ne credite, Teucri.
>
>     		   	  -- Laocoon
>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list