Aaron Campbell wrote: > Here is a thought, but I will defer to the protocol experts on plausibility. > The resolver knows the size of each DNS message it parses. What if it didn't > trust glue records contained within large (i.e., > 1400 bytes or so) > responses? In these cases, the resolver sends a separate query to resolve > the dangling authority NS records. This introduces overhead, but only for > large replies. It also makes a few assumptions, namely that the > fragmentation point is something around 1500 bytes (and not something lower), > and that the attack is only practical against the glue records, not the > authority section. May be able to play games with name compression there > though… perhaps it is as least worth discussing as an additional barrier.
this sounds vaguely similar to unbound's "harden-referral-path" option, though it applies to all lookups. -- Robert Edmonds _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
