[dns-operations] Spoofing DNS with fragments

Tony Finch dot at dotat.at
Wed Sep 12 10:36:34 UTC 2018

Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> With broad adoption of DNSCurve, TLS, HTTPS, ... not very likely the
> TSIG suggestion might actually be possible to get deployed.  Or, as
> suggested in this thread, we could configure our servers to cap UDP
> EDNS buffer sizes at ~1200 bytes (perhaps with the exception of loopback
> interface clients), thereby closing the opportunity for forgeries of
> predicted fragments, reducing reported issues with DNSSEC
> over IPv6 and capping response amplification.

Yes, we should make more effort to deprecate fragmented DNS.


f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
democracy, participation, and the co-operative principle

More information about the dns-operations mailing list