[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Franck Martin fmartin at linkedin.com
Wed Sep 24 20:16:38 UTC 2014


On Sep 23, 2014, at 2:34 PM, Roland Dobbins <rdobbins at arbor.net> wrote:

> 
> On Sep 24, 2014, at 12:16 AM, Florian Weimer <fw at deneb.enyo.de> wrote:
> 
>> Fragmentation in IPv4 is inherently insecure.
> 
> Conceptually, yes, it's a Very Bad Idea.  But given the realities of the TCP/IP we have, it's important that network operators understand that they can't filter out non-initial fragments, or they'll break the Internet for their customers.
> 
But what about the customers that use recursive nameservers, does it make sense for them to block fragments at the edge and even on the other side of the link at the edge?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140924/c2801e71/attachment.sig>


More information about the dns-operations mailing list