[dns-operations] Verisign TLDs, some other servers may trim critical glue from very large referrals

Daniel Stirnimann daniel.stirnimann at switch.ch
Mon Jan 7 06:59:32 UTC 2019

> I tend to think that running a resolver which sends the DO bit *and*
> has a very small buffer size (512b) is a Bad Idea.
>> As background context, with the renewed attention to fragmentation
>> attacks last year, Let's Encrypt [1] and at least one other CA [2]
>> have configured the resolvers in their domain validation
>> infrastructure with an EDNS buffer size of 512 bytes to reduce the
>> risk of fragmentation.
> This seems also a Bad Idea. Why 512 and not, say, 1280, which is
> guaranteed not to fragment except in very bizarre IPv4 cases?

I think they want to protect from DNS spoofing attacks with fragments
[1] and they believe setting the EDNS0 buffer size to 512 bytes reduces
the attack vector:


[1] https://dl.acm.org/citation.cfm?id=3243790


More information about the dns-operations mailing list