[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
Franck Martin
fmartin at linkedin.com
Mon Sep 15 11:26:11 UTC 2014
On Sep 15, 2014, at 12:52 PM, Tony Finch <dot at dotat.at> wrote:
> Franck Martin <fmartin at linkedin.com> wrote:
>>
>> What is the recommended setup for EDNS?
>> -limit size to <1500? on both IPv4 and IPv6?
>
> Yes, on some if not all of your authority servers. That is, you need to
> limit the size of response that you send (max-udp-size in BIND terms).
> (Don't get confused with your advertized EDNS buffer size which is for
> receiving responses, mainly on recursive servers.)
>
> This improves your interoperability with resolvers at other sites that
> have broken networks which drop fragmented packets.
>
> https://dnssec.surfnet.nl/wp-content/uploads/2012/09/Recommendations-for-dealing-with-fragmentation-in-DNS-v3.pdf
> https://www.usenix.org/sites/default/files/conference/protected-files/vanrisjwik_lisa12_slides.pdf
>
I’m looking more on the resolvers side as these may not be dedicated machines for named, like an authoritative server would be. So allowing fragmented packets to them to support EDNS >1280 responses without limiting the advertised EDNS buffer size may leave the box vulnerable to attacks (and which ones)?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140915/45a326a6/attachment.sig>
More information about the dns-operations
mailing list