Paul Wouters <p...@nohats.ca> wrote: > > At section 4, item 3, it could give advise based on source-verified > transport, so that ANY queries received over TCP or with DNS-COOKIES > could include more data then potentially spoofed UDP packets. But perhaps > that is not worth it, because ANY queries shouldn't really be used by > applications, and humans will likely use dig without tcp or cookies > enabled. So I am fine with the current text as well. But I think it > would be cleaner if we no longer refer to UDP and TCP when we really > mean "source IP verified transport" when we say that.
The important distinction for me really is TCP vs UDP - I want to avoid sending fragmented or truncated UDP responses to legitimate clients. (Spoofing attacks are handled by RRL, not minimal-any.) https://www.ietf.org/mail-archive/web/dnsop/current/msg19609.html https://www.ietf.org/mail-archive/web/dnsop/current/msg19631.html Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon, Rockall, Malin: West 5 to 7, occasionally gale 8 at first. Very rough, occasionally rough in east Malin. Wintry showers. Good, occasionally moderate. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
