[dns-operations] Always replying to UDP requests with TC=1, good practice or not
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sun Oct 18 15:33:41 UTC 2015
I had issues with the domain kura.io, since the name servers always
reply with TC=0 (on IPv4; their IPv6 behaviour is more
common). According to the DNS hoster, Rage4, it is for "dDoS
protection" (I assume the goal is to make reflection attacks
impossible).
It is the first time I meet this behaviour in the wild.
Is it a good idea?
If not, should testing programs like ZoneMaster
<https://zonemaster.fr/> flag such behaviour as risky?
I can reproduce it with NSD (ipv4-edns-size: 60) but not with other
programs. Any idea how to do it with BIND or Knot (BIND has
max-udp-size but, apparently, it is capped to 512 bytes even if a
lower value is indicated, Knot has max-udp-payload but the server
refuses to start if it's too low "EDNS payload size is lower than 1220
bytes for DNSSEC zone")
More information about the dns-operations
mailing list