Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

* Hannes Frederic Sowa: > On Tue, Sep 23, 2014, at 23:41, Mark Andrews wrote: >> As for atomic fragments, it is a seperate issue out of control of >> the nameserver. > > Because of a possible DoS vector atomic fragments will be deprecated > soon: >

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Tue, Sep 23, 2014, at 23:41, Mark Andrews wrote: > As for atomic fragments, it is a seperate issue out of control of > the nameserver. Because of a possible DoS vector atomic fragments will be deprecated soon: Bye, H

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 25, 2014, at 1:46 AM, Franck Martin wrote: But what about the customers that use recursive nameservers, does it make sense for them to block fragments at the edge and even on the other side of the link at the edge? No, no, no. They'll break the Internet if they do that. My point was in

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 23, 2014, at 2:34 PM, Roland Dobbins wrote: > > On Sep 24, 2014, at 12:16 AM, Florian Weimer wrote: > >> Fragmentation in IPv4 is inherently insecure. > > Conceptually, yes, it's a Very Bad Idea. But given the realities of the > TCP/IP we have, it's important that network operators

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

In message <87fvfitfyj@mid.deneb.enyo.de>, Florian Weimer writes: > * Franck Martin: > > > What is the recommended setup for EDNS? > > -limit size to <1500? on both IPv4 and IPv6? > > Limit to packet size 1200 or less, and tell the kernel to disregard > any path MTU information it has. > >

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 24, 2014, at 12:16 AM, Florian Weimer wrote: > Fragmentation in IPv4 is inherently insecure. Conceptually, yes, it's a Very Bad Idea. But given the realities of the TCP/IP we have, it's important that network operators understand that they can't filter out non-initial fragments, or th

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

* Franck Martin: > What is the recommended setup for EDNS? > -limit size to <1500? on both IPv4 and IPv6? Limit to packet size 1200 or less, and tell the kernel to disregard any path MTU information it has. > -allow UDP fragmentation on IPv4 and IPv6, how securely? Fragmentation in IPv4 is inhe

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Under the context of this discussion, I want to ask a question about DNS UDP size in IPv4/IPv6. I read SAC-035 about a test on Broadband Routers and Firewalls. There are 27% DNS proxy still can not pass the packets larger than 512. I don't konw whether it will be overcame by using IPv6 for transpo

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 15, 2014, at 6:26 PM, Franck Martin wrote: > So allowing fragmented packets to them to support EDNS >1280 responses > without limiting the advertised EDNS buffer size may leave the box vulnerable > to attacks (and which ones)? If you're talking about recursive resolvers, then prohibiti

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Roland Dobbins wrote: > On Sep 15, 2014, at 5:52 PM, Tony Finch wrote: > > > That is, you need to limit the size of response that you send (max-udp-size > > in BIND terms). > > Do you recommend that it be lowered to 1280 or thereabouts for IPv6? Not enough data, sorry. In practice the ethernet

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 15, 2014, at 12:52 PM, Tony Finch wrote: > Franck Martin wrote: >> >> What is the recommended setup for EDNS? >> -limit size to <1500? on both IPv4 and IPv6? > > Yes, on some if not all of your authority servers. That is, you need to > limit the size of response that you send (max-udp-

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 15, 2014, at 5:52 PM, Tony Finch wrote: > max-udp-size in BIND terms btw, my impression is that the OP was asking about network policies, not DNS server settings - correction welcome if this wasn't the case. -- Roland

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 15, 2014, at 5:52 PM, Tony Finch wrote: > That is, you need to limit the size of response that you send (max-udp-size > in BIND terms). Do you recommend that it be lowered to 1280 or thereabouts for IPv6? -- Roland Dob

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

Franck Martin wrote: > > What is the recommended setup for EDNS? > -limit size to <1500? on both IPv4 and IPv6? Yes, on some if not all of your authority servers. That is, you need to limit the size of response that you send (max-udp-size in BIND terms). (Don't get confused with your advertized E

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 15, 2014, at 3:25 PM, Stephane Bortzmeyer wrote: > It may be interesting against amplification attacks (although it seems > everyone moved to NTP amplification attacks, abandoning the DNS). Actually, this isn't really what we're seeing - ntp and SSDP and SNMP and chargen and tftp refle

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sat, Sep 13, 2014 at 09:37:52AM +, Franck Martin wrote a message of 61 lines which said: > -limit size to <1500? on both IPv4 and IPv6? It may be interesting against amplification attacks (although it seems everyone moved to NTP amplification attacks, abandoning the DNS). For fragmenta

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 15, 2014, at 6:48 AM, Mark Andrews wrote: > It is about PMTUD being a bad fit for DNS. That's fair. I think a lot of folks are just going to end up manually setting their MTUs to 1280 . . . -- Roland Dobbins //

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

In message <3cb37b5b-fa6c-42f7-8ccf-7eb40ae29...@arbor.net>, Roland Dobbins wri tes: > > On Sep 13, 2014, at 6:58 PM, Mark Andrews wrote: > > > But do force IPv6 to fragment at 1280. This advoids PMTUD. > > Personally, I'd rather see pressure on networks to do The Right Thing in te= > rms of

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 13, 2014, at 6:58 PM, Mark Andrews wrote: > But do force IPv6 to fragment at 1280. This advoids PMTUD. Personally, I'd rather see pressure on networks to do The Right Thing in terms of ICMPv6 . . . ;> -- Roland Dobbi

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 13, 2014, at 9:47 PM, Harald Koch wrote: > In the 1990s fragmentation-based attacks against IP stacks were very real, it > took a long time for vendors to fix their stacks completely, and longer to > get fixes deployed; we didn't have the "patch everything monthly" culture > firmly est

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On 13 September 2014 06:24, Roland Dobbins wrote: > > No. IP fragmentation is a normal part of TCP/IP communications across the > Internet. It isn't something to actively wish for, but it's perfectly > normal. > Google "Fragmentation Considered Harmful" - nothing significant has changed in the

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

In message <5dd7f8ba-adb7-4132-9672-7fe53174e...@arbor.net>, Roland Dobbins wri tes: > > > On Sep 13, 2014, at 4:37 PM, Franck Martin wrote: > > > My understanding is that UDP fragmentation is something frown upon in > IPv4 and even more on IPv6 (because of processing power needed, and > security

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sep 13, 2014, at 4:37 PM, Franck Martin wrote: > My understanding is that UDP fragmentation is something frown upon in IPv4 > and even more on IPv6 (because of processing power needed, and security > concerns)? No. IP fragmentation is a normal part of TCP/IP communications across the Int

[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

I’m trying to figure out EDNS with UDP fragmentation on both IPv4 and IPv6 network. My understanding is that UDP fragmentation is something frown upon in IPv4 and even more on IPv6 (because of processing power needed, and security concerns)? What is the recommended setup for EDNS? -limit size t