On 09/13/2014 10:45 AM, David Conrad wrote:
> On Sep 13, 2014, at 2:19 AM, Franck Martin
> wrote:
>> I’m not sure why the dot prod was not first set up to return
>> NXDOMAIN, queries logged, and then source IP contacted to warn
>> them
>> May be this is an insight now, may be this is something
On Sep 15, 2014, at 10:00 AM, Wessels, Duane wrote:
>
> On Sep 11, 2014, at 6:12 PM, Paul Hoffman wrote:
>
>> On Sep 11, 2014, at 4:27 PM, Paul Vixie wrote:
>>
>>> for the time being, and perhaps for a long time to come, the
>>> people who call the presence of .PROD a bug and/or depend on it
On Sep 11, 2014, at 6:12 PM, Paul Hoffman wrote:
> On Sep 11, 2014, at 4:27 PM, Paul Vixie wrote:
>
>> for the time being, and perhaps for a long time to come, the
>> people who call the presence of .PROD a bug and/or depend on its absence
>> as a feature, outnumbers and will outnumber the peo
On Sep 15, 2014, at 6:26 PM, Franck Martin wrote:
> So allowing fragmented packets to them to support EDNS >1280 responses
> without limiting the advertised EDNS buffer size may leave the box vulnerable
> to attacks (and which ones)?
If you're talking about recursive resolvers, then prohibiti
Roland Dobbins wrote:
> On Sep 15, 2014, at 5:52 PM, Tony Finch wrote:
>
> > That is, you need to limit the size of response that you send (max-udp-size
> > in BIND terms).
>
> Do you recommend that it be lowered to 1280 or thereabouts for IPv6?
Not enough data, sorry. In practice the ethernet
On Sep 15, 2014, at 12:52 PM, Tony Finch wrote:
> Franck Martin wrote:
>>
>> What is the recommended setup for EDNS?
>> -limit size to <1500? on both IPv4 and IPv6?
>
> Yes, on some if not all of your authority servers. That is, you need to
> limit the size of response that you send (max-udp-
On Mon, Sep 15, 2014 at 3:32 AM, Daniel Kalchev wrote:
>
>
> On 13.09.14 17:54, Phillip Hallam-Baker wrote:
>> On Thu, Sep 11, 2014 at 9:12 PM, Paul Hoffman wrote:
>>> On Sep 11, 2014, at 4:27 PM, Paul Vixie wrote:
>>>
for the time being, and perhaps for a long time to come, the
people
On Sep 15, 2014, at 5:52 PM, Tony Finch wrote:
> max-udp-size in BIND terms
btw, my impression is that the OP was asking about network policies, not DNS
server settings - correction welcome if this wasn't the case.
--
Roland
On Sep 15, 2014, at 5:52 PM, Tony Finch wrote:
> That is, you need to limit the size of response that you send (max-udp-size
> in BIND terms).
Do you recommend that it be lowered to 1280 or thereabouts for IPv6?
--
Roland Dob
Franck Martin wrote:
>
> What is the recommended setup for EDNS?
> -limit size to <1500? on both IPv4 and IPv6?
Yes, on some if not all of your authority servers. That is, you need to
limit the size of response that you send (max-udp-size in BIND terms).
(Don't get confused with your advertized E
On Sep 15, 2014, at 3:25 PM, Stephane Bortzmeyer wrote:
> It may be interesting against amplification attacks (although it seems
> everyone moved to NTP amplification attacks, abandoning the DNS).
Actually, this isn't really what we're seeing - ntp and SSDP and SNMP and
chargen and tftp refle
On Sat, Sep 13, 2014 at 09:37:52AM +,
Franck Martin wrote
a message of 61 lines which said:
> -limit size to <1500? on both IPv4 and IPv6?
It may be interesting against amplification attacks (although it seems
everyone moved to NTP amplification attacks, abandoning the DNS). For
fragmenta
On 13.09.14 17:54, Phillip Hallam-Baker wrote:
> On Thu, Sep 11, 2014 at 9:12 PM, Paul Hoffman wrote:
>> On Sep 11, 2014, at 4:27 PM, Paul Vixie wrote:
>>
>>> for the time being, and perhaps for a long time to come, the
>>> people who call the presence of .PROD a bug and/or depend on its absenc
13 matches
Mail list logo
