[dns-operations] Spoofing DNS with fragments
dot at dotat.at
Wed Sep 12 10:36:34 UTC 2018
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> With broad adoption of DNSCurve, TLS, HTTPS, ... not very likely the
> TSIG suggestion might actually be possible to get deployed. Or, as
> suggested in this thread, we could configure our servers to cap UDP
> EDNS buffer sizes at ~1200 bytes (perhaps with the exception of loopback
> interface clients), thereby closing the opportunity for forgeries of
> predicted fragments, reducing reported issues with DNSSEC
> over IPv6 and capping response amplification.
Yes, we should make more effort to deprecate fragmented DNS.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
democracy, participation, and the co-operative principle
More information about the dns-operations