* Franck Martin: > What is the recommended setup for EDNS? > -limit size to <1500? on both IPv4 and IPv6?
Limit to packet size 1200 or less, and tell the kernel to disregard any path MTU information it has. > -allow UDP fragmentation on IPv4 and IPv6, how securely? Fragmentation in IPv4 is inherently insecure and introduces a DNS cache poisoning vulnerability. As specified, fragmentation in IPv6 is broken because the sender needs to keep track of clients which have requested atomic fragments. It is best to disregard this requirement and simply never send any packets with fragment headers, atomic or not. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
