[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Roland Dobbins rdobbins at arbor.net
Mon Sep 15 11:46:20 UTC 2014

On Sep 15, 2014, at 6:26 PM, Franck Martin <fmartin at linkedin.com> wrote:

> So allowing fragmented packets to them to support EDNS >1280 responses without limiting the advertised EDNS buffer size may leave the box vulnerable to attacks (and which ones)?

If you're talking about recursive resolvers, then prohibiting them from receiving fragments via network access policies will break the Internet for your users.

Don't do it.

Allowing them to receive fragments does *not* make them any more vulnerable to attack (any kind of TCP/IP traffic can be used for an attack).  But it will break DNS resolution with regards to EDNS0 and DNSSEC (which requires EDNS0).

As I explained previously, this nonsense about fragmentation being a security risk of some sort is just that - nonsense.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140915/c80014ea/attachment.sig>

More information about the dns-operations mailing list