[dns-operations] Spoofing DNS with fragments

Tony Finch dot at dotat.at
Wed Sep 12 10:36:34 UTC 2018


Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> With broad adoption of DNSCurve, TLS, HTTPS, ... not very likely the
> TSIG suggestion might actually be possible to get deployed.  Or, as
> suggested in this thread, we could configure our servers to cap UDP
> EDNS buffer sizes at ~1200 bytes (perhaps with the exception of loopback
> interface clients), thereby closing the opportunity for forgeries of
> predicted fragments, reducing reported issues with DNSSEC
> over IPv6 and capping response amplification.

Yes, we should make more effort to deprecate fragmented DNS.

https://mailarchive.ietf.org/arch/msg/dnsop/xnJjuOFRE4IiT7uqEFyqhYKKT7c

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
democracy, participation, and the co-operative principle



More information about the dns-operations mailing list