On Sep 15, 2014, at 6:26 PM, Franck Martin <fmar...@linkedin.com> wrote:
> So allowing fragmented packets to them to support EDNS >1280 responses > without limiting the advertised EDNS buffer size may leave the box vulnerable > to attacks (and which ones)? If you're talking about recursive resolvers, then prohibiting them from receiving fragments via network access policies will break the Internet for your users. Don't do it. Allowing them to receive fragments does *not* make them any more vulnerable to attack (any kind of TCP/IP traffic can be used for an attack). But it will break DNS resolution with regards to EDNS0 and DNSSEC (which requires EDNS0). As I explained previously, this nonsense about fragmentation being a security risk of some sort is just that - nonsense. ---------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
