Hello, > > So, we might set max-udp-size to 1220 for preventing UDP > > fragmentation. > > But, in IPv4, the attacker can send spoofed ICMP "packet too big" > messages to decrease the size of the path MTU, as seen by the DNS > server.
RELNOTES of NSD 3.2.9 describes the following, we may separate max-udp-size value for IPv4 and for IPv6. -- Orange > NSD 3.2.9 > > The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), > 1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is > smaller than the EDNS default. From: Stephane Bortzmeyer <[email protected]> Date: Wed, 4 Sep 2013 15:55:22 +0200 > On Wed, Sep 04, 2013 at 10:45:42PM +0900, > Yasuhiro Orange Morishita / 森下泰宏 <[email protected]> wrote > a message of 38 lines which said: > > > So, we might set max-udp-size to 1220 for preventing UDP > > fragmentation. > > But, in IPv4, the attacker can send spoofed ICMP "packet too big" > messages to decrease the size of the path MTU, as seen by the DNS > server. > > I do not find an equivalent of RFC 5927 for UDP. I assume (I didn't > check) that UDP stacks implement similar protections (some suggestions > of RFC 59267 are very TCP-specific such as checking the sequence > number) but it would be interesting to study this possible attack in > depth. > _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
