On Wed, Sep 04, 2013 at 10:45:42PM +0900, Yasuhiro Orange Morishita / 森下泰宏 <yasuh...@jprs.co.jp> wrote a message of 38 lines which said:
> So, we might set max-udp-size to 1220 for preventing UDP > fragmentation. But, in IPv4, the attacker can send spoofed ICMP "packet too big" messages to decrease the size of the path MTU, as seen by the DNS server. I do not find an equivalent of RFC 5927 for UDP. I assume (I didn't check) that UDP stacks implement similar protections (some suggestions of RFC 59267 are very TCP-specific such as checking the sequence number) but it would be interesting to study this possible attack in depth. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs