BTW just to complete my question in first email - is there a agreement that this is serious and needs to be addressed?
I am still wondering why this have slipped under the radar for so long (the original paper was published last year). Ondřej Surý > On 4. 9. 2013, at 15:47, Stephane Bortzmeyer <[email protected]> wrote: > > On Wed, Sep 04, 2013 at 03:08:55PM +0200, > Ondřej Surý <[email protected]> wrote > a message of 81 lines which said: > >> So what are the views of other people on this list? > > [Total noob just going back from holidays and therefore even less > competent as usual.] > > Isn't is a good idea to limit the maximum size of the response, like > .com/.net (and may be other TLD: examples welcome) do? This will make > the attack more difficult. > > With IPv6, limiting to 1280 bytes completely prevent fragmentation. > > With IPv4, limiting to the minimum size of IPv4 datagrams is really > too harsh and the attacker may trigger fragmentation by sending > spoofed ICMP "packet too big". A possible solution is simply to deploy > IPv6 faster :-) > > _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
