[dns-operations] Announcement - DNS flag day on 2019-02-01

Florian Weimer fw at deneb.enyo.de
Thu Jun 14 05:34:56 UTC 2018


* Mark Andrews:

>> On 14 Jun 2018, at 6:51 am, Florian Weimer <fw at deneb.enyo.de> wrote:
>> 
>> * Petr Špaček:
>> 
>>> you might be interested in information about "DNS flag day" coordinated 
>>> by open-source DNS vendors and is planned for 2019-02-01
>>> (February 1st 2019).
>>> 
>>> Further information can be found on
>>> https://dnsflagday.net/
>> 
>> Is there still no reduction of EDNS buffer size to around 1200 bytes?
>> Isn't it time after ten years to address that particular
>> vulnerability?
>
> If you are talking about fragmentation reassembly attacks you need to
> use something with a cryptographic hash independent of EDNS.

Or you can avoid fragmentation in the first place, which includes
ignoring ICMP Fragmentation Needed But DF Bit Set messages.  Unbound
does that if you tell it to use it a buffer size which is sufficiently
small.

Theoretically, even with a 1200-byte EDNS buffer size, there could be
IPv4 network paths which trigger fragmentation, but those will be
unusual.

Another benefit of this change is that many of the ENDS-related
problems go away.




More information about the dns-operations mailing list