On Tue, 15 Sep 2020, Brian Somers wrote:
My argument goes something like this. When a DNS request is sent, the client (whether a stub or a resolver) is the most qualified to know specifics about the “connection” and is also the target of fragmentation attacks.
Based on my field experience (and I wrote https://github.com/m3047/tcp_only_forwarder as a response to what I observed in regards to stub resolvers), the issue here isn't "attacks" but simply that resolver protocol is stuck in the 1980s and if a complete UDP "message" (presumably meaning "all fragments") isn't received then TC=1 is never recognized (because the response is never recognized) and TCP is never tried.
-- Fred Morris
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
