On Wed, Jan 15, 2014 at 03:33:02PM -0800, Colm MacCárthaigh wrote: > For DNS, we have the option to respond with a TC=1 response, so if I > detected a datagram with suspicious or mismatching TTLs, TC=1 is a decent > workaround. TCP is then much more robust against intermediary spoofing. I > can't force the clients to use DF though.
That would need to be implemented as cmsg access ancillary data and cannot be done as a netfilter module (unless the DNS packet generation is also implemented as netfilter target). Because this touches core code, this really needs strong arguments to get accepted. Maybe this can be done as part of the socket fragmentation notification work. I'll have a look but want to think about how easy this can get circumvented first. Maybe you already thought about that? Thanks, Hannes _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs