[dns-operations] Verisign TLDs, some other servers may trim critical glue from very large referrals
bortzmeyer at nic.fr
Fri Jan 4 15:43:41 UTC 2019
On Fri, Jan 04, 2019 at 12:33:47PM +0000,
Matt Nordhoff <lists at mn0.us> wrote
a message of 120 lines which said:
> *without* setting the TC bit.
This one seems perfectly reasonable. No RRset has been truncated,
there is no reason to set the TC bit.
> This was found in the wild by an Unbound resolver configured with an
> EDNS buffer size of 512 bytes,
I tend to think that running a resolver which sends the DO bit *and*
has a very small buffer size (512b) is a Bad Idea.
> As background context, with the renewed attention to fragmentation
> attacks last year, Let's Encrypt  and at least one other CA 
> have configured the resolvers in their domain validation
> infrastructure with an EDNS buffer size of 512 bytes to reduce the
> risk of fragmentation.
This seems also a Bad Idea. Why 512 and not, say, 1280, which is
guaranteed not to fragment except in very bizarre IPv4 cases?
More information about the dns-operations