[dns-operations] Announcement - DNS flag day on 2019-02-01
Florian Weimer
fw at deneb.enyo.de
Thu Jun 14 17:04:19 UTC 2018
* Shane Kerr:
> Paul Vixie:
>> i'd rather we broke everything that won't let edns through. the internet
>> can't grow in avoidance-mode. we have to confront, too.
>
> I don't think the problem referred to here is EDNS, but rather large
> packets.
It's both. With some implementations, data loss due to fragmentation
leads to fallback from EDNS, which again leads to DNSSEC validation
failures due to signature stripping.
> Are there even secure ways to establish PMTU on the Internet? Or if not
> secure (as in "authenticated"), then ways that don't open operators up
> to various ICMP-based attacks?
Source addresses of ICMP packets cannot be validated. You can try to
check the payload, but that could be predictable as well. It also
requires keeping packets around after they have been sent.
For IPv6, the DNS server needs to keep track of the PMTU to every
client it sees if it wants to support a PMTU lower than the interface
MTU. So it's not even possible to implement a simple stateless UDP
server.
More information about the dns-operations
mailing list