[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Mark Andrews marka at isc.org
Tue Sep 23 21:41:23 UTC 2014


In message <87fvfitfyj.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Franck Martin:
> 
> > What is the recommended setup for EDNS?
> > -limit size to <1500? on both IPv4 and IPv6?
> 
> Limit to packet size 1200 or less, and tell the kernel to disregard
> any path MTU information it has.
> 
> > -allow UDP fragmentation on IPv4 and IPv6, how securely?
> 
> Fragmentation in IPv4 is inherently insecure and introduces a DNS
> cache poisoning vulnerability.
> 
> As specified, fragmentation in IPv6 is broken because the sender needs
> to keep track of clients which have requested atomic fragments.  It is
> best to disregard this requirement and simply never send any packets
> with fragment headers, atomic or not.

Truly, fragmented packets get to recursive servers most of the time
and for those that don't the recursive server can adjust to the
path's characteristics.

Not sending fragmentented packets penalized sites that do the right
thing and accept fragments.  It forces them to go to TCP more often
and forced PMTUD discovery to occur on the TCP socket as more stacks
correctly handle fragmenting UDP packets than correctly adjust TCP
packet sizes to prevent PMTUD in the first place.  Sending fragmented
DNS/UPD/IPv6 at 1280 works better than sending DNS/TCP/IPv6 at 1500
when the resolver is behind a tunnel which is still very much the
case.  If you insist on limiting UDP responsed to 1280 then set the
interface MTU to 1280 so the TCP mss negotiation works with this
value and as a result PMTUD doesn't need to occur.

As for atomic fragments, it is a seperate issue out of control of
the nameserver.

As for cache poisoning send signed data and use DNS COOKIES or SIT
or if you are really worried about injected fragments add a 64 bit
crypto graphic hash as a EDNS option.  Track whether a server
supports DNS COOKIES, SIT and the cryptographic hash.  If you don't
get the options returned you discard the response.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list