[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Harald Koch chk at pobox.com
Sat Sep 13 14:47:50 UTC 2014

On 13 September 2014 06:24, Roland Dobbins <rdobbins at arbor.net> wrote:

> No.  IP fragmentation is a normal part of TCP/IP communications across the
> Internet.  It isn't something to actively wish for, but it's perfectly
> normal.

Google "Fragmentation Considered Harmful" - nothing significant has changed
in the decades that have passed. I still wouldn't turn it off, but there
are issues you should be aware of.

> Yes, allow it; there's no security issue.  This is a myth originating with
> clueless vendors in the mid-1990s, and propagated today Confused
> Information Systems Security Professionals (CISSPs) and their ilk.

In the 1990s fragmentation-based attacks against IP stacks were very real,
it took a long time for vendors to fix their stacks completely, and longer
to get fixes deployed; we didn't have the "patch everything monthly"
culture firmly established yet.

I agree that I wouldn't worry too much about the *security* of IP
fragmentation today, but back then it was not a myth.

[ get off my lawn ;) ]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140913/91ce5888/attachment.html>

More information about the dns-operations mailing list