[dns-operations] Verisign TLDs, some other servers may trim critical glue from very large referrals
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Jan 7 08:51:24 UTC 2019
On Mon, Jan 07, 2019 at 07:59:32AM +0100,
Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote
a message of 21 lines which said:
> I think they want to protect from DNS spoofing attacks with fragments
> [1] and they believe setting the EDNS0 buffer size to 512 bytes reduces
> the attack vector:
No article (not the Shulman paper, nor the articles on the Let's
Encrypt site) discuss 512 vs 1280, just fragmentation
vs. non-fragmentation. 1280 will never fragment with IPv6 and very
rarely with IPv4. Therefore, I still don't understand 512.
Also, the proper protection against the Shulman fragmentation attack
is DNSSEC.
More information about the dns-operations
mailing list