[dns-operations] Always replying to UDP requests with TC=1, good practice or not

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Oct 18 15:33:41 UTC 2015

I had issues with the domain kura.io, since the name servers always
reply with TC=0 (on IPv4; their IPv6 behaviour is more
common). According to the DNS hoster, Rage4, it is for "dDoS
protection" (I assume the goal is to make reflection attacks

It is the first time I meet this behaviour in the wild.

Is it a good idea?

If not, should testing programs like ZoneMaster
<https://zonemaster.fr/> flag such behaviour as risky?

I can reproduce it with NSD (ipv4-edns-size: 60) but not with other
programs. Any idea how to do it with BIND or Knot (BIND has
max-udp-size but, apparently, it is capped to 512 bytes even if a
lower value is indicated, Knot has max-udp-payload but the server
refuses to start if it's too low "EDNS payload size is lower than 1220
bytes for DNSSEC zone")

More information about the dns-operations mailing list