[dns-operations] Verisign TLDs, some other servers may trim critical glue from very large referrals

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jan 7 08:51:24 UTC 2019

On Mon, Jan 07, 2019 at 07:59:32AM +0100,
 Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote 
 a message of 21 lines which said:

> I think they want to protect from DNS spoofing attacks with fragments
> [1] and they believe setting the EDNS0 buffer size to 512 bytes reduces
> the attack vector:

No article (not the Shulman paper, nor the articles on the Let's
Encrypt site) discuss 512 vs 1280, just fragmentation
vs. non-fragmentation. 1280 will never fragment with IPv6 and very
rarely with IPv4. Therefore, I still don't understand 512.

Also, the proper protection against the Shulman fragmentation attack

More information about the dns-operations mailing list