On Mon, 20 Mar 2017, Tony Finch wrote:
Paul Wouters <p...@nohats.ca> wrote:
At section 4, item 3, it could give advise based on source-verified
transport, so that ANY queries received over TCP or with DNS-COOKIES
could include more data then potentially spoofed UDP packets. But perhaps
that is not worth it, because ANY queries shouldn't really be used by
applications, and humans will likely use dig without tcp or cookies
enabled. So I am fine with the current text as well. But I think it
would be cleaner if we no longer refer to UDP and TCP when we really
mean "source IP verified transport" when we say that.
The important distinction for me really is TCP vs UDP - I want to avoid
sending fragmented or truncated UDP responses to legitimate clients.
(Spoofing attacks are handled by RRL, not minimal-any.)
https://www.ietf.org/mail-archive/web/dnsop/current/msg19609.html
https://www.ietf.org/mail-archive/web/dnsop/current/msg19631.html
Then clearly the section could use some clarification text :)
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
