In message <[email protected]>, Florian Weimer writes: > * Franck Martin: > > > What is the recommended setup for EDNS? > > -limit size to <1500? on both IPv4 and IPv6? > > Limit to packet size 1200 or less, and tell the kernel to disregard > any path MTU information it has. > > > -allow UDP fragmentation on IPv4 and IPv6, how securely? > > Fragmentation in IPv4 is inherently insecure and introduces a DNS > cache poisoning vulnerability. > > As specified, fragmentation in IPv6 is broken because the sender needs > to keep track of clients which have requested atomic fragments. It is > best to disregard this requirement and simply never send any packets > with fragment headers, atomic or not.
Truly, fragmented packets get to recursive servers most of the time and for those that don't the recursive server can adjust to the path's characteristics. Not sending fragmentented packets penalized sites that do the right thing and accept fragments. It forces them to go to TCP more often and forced PMTUD discovery to occur on the TCP socket as more stacks correctly handle fragmenting UDP packets than correctly adjust TCP packet sizes to prevent PMTUD in the first place. Sending fragmented DNS/UPD/IPv6 at 1280 works better than sending DNS/TCP/IPv6 at 1500 when the resolver is behind a tunnel which is still very much the case. If you insist on limiting UDP responsed to 1280 then set the interface MTU to 1280 so the TCP mss negotiation works with this value and as a result PMTUD doesn't need to occur. As for atomic fragments, it is a seperate issue out of control of the nameserver. As for cache poisoning send signed data and use DNS COOKIES or SIT or if you are really worried about injected fragments add a 64 bit crypto graphic hash as a EDNS option. Track whether a server supports DNS COOKIES, SIT and the cryptographic hash. If you don't get the options returned you discard the response. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
