[dns-operations] Verisign TLDs, some other servers may trim critical glue from very large referrals

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Jan 4 15:43:41 UTC 2019

On Fri, Jan 04, 2019 at 12:33:47PM +0000,
 Matt Nordhoff <lists at mn0.us> wrote 
 a message of 120 lines which said:

> *without* setting the TC bit.

This one seems perfectly reasonable. No RRset has been truncated,
there is no reason to set the TC bit.

> This was found in the wild by an Unbound resolver configured with an
> EDNS buffer size of 512 bytes,

I tend to think that running a resolver which sends the DO bit *and*
has a very small buffer size (512b) is a Bad Idea.

> As background context, with the renewed attention to fragmentation
> attacks last year, Let's Encrypt [1] and at least one other CA [2]
> have configured the resolvers in their domain validation
> infrastructure with an EDNS buffer size of 512 bytes to reduce the
> risk of fragmentation.

This seems also a Bad Idea. Why 512 and not, say, 1280, which is
guaranteed not to fragment except in very bizarre IPv4 cases?

More information about the dns-operations mailing list