[dns-operations] fragmentation avoidance

Paul Vixie paul at redbarn.org
Fri Apr 17 23:12:44 UTC 2020


On Friday, 17 April 2020 22:48:08 UTC Mark Andrews wrote:
> ...
> 
> Or we could adopt the well known TSIG approach and defeat
> fragmentation attacks that way.  This works for both IPv4 and IPv6.

fragmentation's harms extend well beyond dns integrity vulnerabilities. i 
should not have proposed fragmentation in EDNS, and now we have to go undo 
that part and start again on the datagram size tension headache. see here:

https://tools.ietf.org/html/draft-fujiwara-dnsop-avoid-fragmentation-02

-- 
Paul




More information about the dns-operations mailing list