MoinQ: DNS/毒盛/fragmentation/2018

1. DNS/毒盛/dns-operations/fragmentation

DNSSECが完全普及すれば問題ないというひとは現実を見ていない。

fragmentationを禁止する方がずっとやさしいだろう。-- ToshinoriMaeno 2018-11-18 00:05:13

2. 2018

Cache-altering queries (was: Re: Spoofing DNS with fragments) https://lists.dns-oarc.net/pipermail/dns-operations/2018-October/018007.html

Spoofing DNS with fragments bert hubert bert.hubert at powerdns.com Mon Sep 10 20:49:25 UTC 2018 https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017949.html

• https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017956.html

mostly a solved problem ?

• > The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the easy to > use variant) in DNS software and lower the buffer size to 1200 bytes.

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017964.html

BTW I was experimenting with EDNS buffer size 1232 B once and as far as
I remember it broke non-negligible number of resolution attempts so for
now we decided to keep our huge default (4k).

Stephane Bortzmeyer bortzmeyer at nic.fr Tue Sep 11 09:13:52 UTC 2018

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017952.html

Note that as long as one CA does not validate, DNSSEC is not a sufficient defense, you need DANE as well (otherwise the attacker will go to another CA).

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017968.html

I'm worried that using TSIG will require a flag day eventually, just like EDNS.

The buffer size hack, combined with kernel assistance on some systems, looks much more promising, and it only requires fixing the authoritative server side, too.

Thanks, Florian

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017965.html

Yes, we should make more effort to deprecate fragmented DNS. f.anthony.n.finch <dot at dotat.at>

3. 2012

https://mailarchive.ietf.org/arch/msg/dnsop/xnJjuOFRE4IiT7uqEFyqhYKKT7c [DNSOP] avoiding fragmented DNS-over-UDP

M. Andrews
Internet-Draft                                                       ISC
Intended status: Standards Track                        January 22, 2012
Expires: July 25, 2012
                       DNS and UDP Fragmentation
             draft-andrews-dnsext-udp-fragmentation-01.txt

https://tools.ietf.org/html/draft-andrews-dnsext-udp-fragmentation-01