On 4 Sep 2013, at 15:34, Stephane Bortzmeyer <[email protected]> wrote:
>> Don't fragment at all, set TC=1 on responses which would cause UDP >> or lower layer fragmantation > > Not obvious to implement, the application (the name server) typically > does not know the path MTU before sending an UDP packet to a > destination (it's the kernel's job). That's quite right Stephane. However in these sorts of situations, ugly things like layering violations might have to be invoked: "To hell with PMTU, I'm going to truncate any DNS response that's more than N bytes, no matter what the max fragment size might be between here and the destination. Have a nice day." I'm not suggesting that this is a viable long-term solution or even the silver bullet. It could however be a pragmatic way of damage limitation when an actual attack is in progress. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
