[dns-operations] Verisign TLDs, some other servers may trim critical glue from very large referrals
fweimer at redhat.com
Mon Jan 7 09:31:41 UTC 2019
* Stephane Bortzmeyer:
> On Mon, Jan 07, 2019 at 07:59:32AM +0100,
> Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote
> a message of 21 lines which said:
>> I think they want to protect from DNS spoofing attacks with fragments
>>  and they believe setting the EDNS0 buffer size to 512 bytes reduces
>> the attack vector:
> No article (not the Shulman paper, nor the articles on the Let's
> Encrypt site) discuss 512 vs 1280, just fragmentation
> vs. non-fragmentation. 1280 will never fragment with IPv6 and very
> rarely with IPv4. Therefore, I still don't understand 512.
Some authoritative servers honor ICMP requests to lower the path MTU to
very small values (which is why I think a client-side workaround is
rather incomplete). 512 is just the lowest value you can use.
> Also, the proper protection against the Shulman fragmentation attack
> is DNSSEC.
This is not something a CA can enable, though.
More information about the dns-operations