== DNS/Bert ==

[[DNS/finch]]

https://ds9a.nl/tmp/powerdns-xs4all-presentatie.pdf


== dns-operations 2018 ==
[dns-operations] Spoofing DNS with fragments

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017949.html


https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017950.html
{{{
This is mostly a solved problem from the point of view of the low-level 
infrastructure: Current Linux has mitigations DNS servers can use to 
avoid fragmented responses for reasonable response buffer sizes (such as 
1200 bytes) even when ICMP path MTU poisoning is used.
}}}

{{{
By the way, I'm not sure if DNSSEC mitigates the denial-of-service 
aspect of this vulnerability.  If this attack is simple enough to carry 
out, people will use it to install bad glue for DNSSEC-secured domains, 
blocking successful resolution, just for fun.  There is no alternative 
to lowering the buffer size *and* avoiding fragmentation.
}}}