[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Florian Weimer fw at deneb.enyo.de
Tue Sep 23 17:16:36 UTC 2014

* Franck Martin:

> What is the recommended setup for EDNS?
> -limit size to <1500? on both IPv4 and IPv6?

Limit to packet size 1200 or less, and tell the kernel to disregard
any path MTU information it has.

> -allow UDP fragmentation on IPv4 and IPv6, how securely?

Fragmentation in IPv4 is inherently insecure and introduces a DNS
cache poisoning vulnerability.

As specified, fragmentation in IPv6 is broken because the sender needs
to keep track of clients which have requested atomic fragments.  It is
best to disregard this requirement and simply never send any packets
with fragment headers, atomic or not.

More information about the dns-operations mailing list