[dns-operations] Announcement - DNS flag day on 2019-02-01
Mark Andrews
marka at isc.org
Thu Jun 14 21:58:48 UTC 2018
Which is why named starts with 512 bytes the first time it talks to a server and records if it gets a EDNS answer. And uses that to determine whether to fallback to plain DNS or not in the future.
The fallback to plain DNS on no response is also going away as that is one of the workarounds for broken servers.
--
Mark Andrews
> On 15 Jun 2018, at 03:04, Florian Weimer <fw at deneb.enyo.de> wrote:
>
> * Shane Kerr:
>
>> Paul Vixie:
>>> i'd rather we broke everything that won't let edns through. the internet
>>> can't grow in avoidance-mode. we have to confront, too.
>>
>> I don't think the problem referred to here is EDNS, but rather large
>> packets.
>
> It's both. With some implementations, data loss due to fragmentation
> leads to fallback from EDNS, which again leads to DNSSEC validation
> failures due to signature stripping.
>
>> Are there even secure ways to establish PMTU on the Internet? Or if not
>> secure (as in "authenticated"), then ways that don't open operators up
>> to various ICMP-based attacks?
>
> Source addresses of ICMP packets cannot be validated. You can try to
> check the payload, but that could be predictable as well. It also
> requires keeping packets around after they have been sent.
>
> For IPv6, the DNS server needs to keep track of the PMTU to every
> client it sees if it wants to support a PMTU lower than the interface
> MTU. So it's not even possible to implement a simple stateless UDP
> server.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list