[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Franck Martin fmartin at linkedin.com
Mon Sep 15 11:26:11 UTC 2014

On Sep 15, 2014, at 12:52 PM, Tony Finch <dot at dotat.at> wrote:

> Franck Martin <fmartin at linkedin.com> wrote:
>> What is the recommended setup for EDNS?
>> -limit size to <1500? on both IPv4 and IPv6?
> Yes, on some if not all of your authority servers. That is, you need to
> limit the size of response that you send (max-udp-size in BIND terms).
> (Don't get confused with your advertized EDNS buffer size which is for
> receiving responses, mainly on recursive servers.)
> This improves your interoperability with resolvers at other sites that
> have broken networks which drop fragmented packets.
> https://dnssec.surfnet.nl/wp-content/uploads/2012/09/Recommendations-for-dealing-with-fragmentation-in-DNS-v3.pdf
> https://www.usenix.org/sites/default/files/conference/protected-files/vanrisjwik_lisa12_slides.pdf

I’m looking more on the resolvers side as these may not be dedicated machines for named, like an authoritative server would be. So allowing fragmented packets to them to support EDNS >1280 responses without limiting the advertised EDNS buffer size may leave the box vulnerable to attacks (and which ones)?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140915/45a326a6/attachment.sig>

More information about the dns-operations mailing list