On Sep 15, 2014, at 12:52 PM, Tony Finch <d...@dotat.at> wrote: > Franck Martin <fmar...@linkedin.com> wrote: >> >> What is the recommended setup for EDNS? >> -limit size to <1500? on both IPv4 and IPv6? > > Yes, on some if not all of your authority servers. That is, you need to > limit the size of response that you send (max-udp-size in BIND terms). > (Don't get confused with your advertized EDNS buffer size which is for > receiving responses, mainly on recursive servers.) > > This improves your interoperability with resolvers at other sites that > have broken networks which drop fragmented packets. > > https://dnssec.surfnet.nl/wp-content/uploads/2012/09/Recommendations-for-dealing-with-fragmentation-in-DNS-v3.pdf > https://www.usenix.org/sites/default/files/conference/protected-files/vanrisjwik_lisa12_slides.pdf >
I’m looking more on the resolvers side as these may not be dedicated machines for named, like an authoritative server would be. So allowing fragmented packets to them to support EDNS >1280 responses without limiting the advertised EDNS buffer size may leave the box vulnerable to attacks (and which ones)?
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
