DNS/FCP/対策について、ここに記述してください。 == Spoofing DNS with fragments == https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017950.html {{{ This is mostly a solved problem from the point of view of the low-level infrastructure: Current Linux has mitigations DNS servers can use to avoid fragmented responses for reasonable response buffer sizes (such as 1200 bytes) even when ICMP path MTU poisoning is used. The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the easy to use variant) in DNS software and lower the buffer size to 1200 bytes. I could arrange for the Linux kernel changes, so upgrading DNS software should be rather smooth today, but it still puzzles me that DNS vendors ignored this issue, despite it being communicated clearly and widely as early as 2008. }}} {{{ Florian Weimer fweimer at redhat.com Mon Sep 10 21:31:52 UTC 2018 }}} == watch == [[/usa.gov]]