[dns-operations] Verisign TLDs, some other servers may trim critical glue from very large referrals
Daniel Stirnimann
daniel.stirnimann at switch.ch
Mon Jan 7 06:59:32 UTC 2019
> I tend to think that running a resolver which sends the DO bit *and*
> has a very small buffer size (512b) is a Bad Idea.
>
>> As background context, with the renewed attention to fragmentation
>> attacks last year, Let's Encrypt [1] and at least one other CA [2]
>> have configured the resolvers in their domain validation
>> infrastructure with an EDNS buffer size of 512 bytes to reduce the
>> risk of fragmentation.
>
> This seems also a Bad Idea. Why 512 and not, say, 1280, which is
> guaranteed not to fragment except in very bizarre IPv4 cases?
I think they want to protect from DNS spoofing attacks with fragments
[1] and they believe setting the EDNS0 buffer size to 512 bytes reduces
the attack vector:
https://community.letsencrypt.org/t/mitigating-dns-fragmentation-attack/74838/9
[1] https://dl.acm.org/citation.cfm?id=3243790
Daniel
More information about the dns-operations
mailing list