On Mar 19, 2010, at 6:09 AM, George Barwood wrote: > > ----- Original Message ----- > From: "Nicholas Weaver" <[email protected]> > To: "George Barwood" <[email protected]> > Cc: "Nicholas Weaver" <[email protected]>; "Matt Larson" > <[email protected]>; <[email protected]> > Sent: Friday, March 19, 2010 12:33 PM > Subject: Re: [DNSOP] Should root-servers.net be signed > >> On Mar 19, 2010, at 12:21 AM, George Barwood wrote: >>> I suggest the default value in BIND for max-udp-size should be 1450. >>> This appears to be best practice. >>> Since few zones are currently signed, it's not too late to make this change. >>> Later on it may be more difficult. > > >> Actually, I'd say this ONLY for the root and TLDs. For the rest, the onus >> should be on the resolver to discover that it can't handle fragmentation and >> >adjust the MTU appropriately. > > There are advantages besides messages being lost. > It also prevents spoofing of fragments, and limits amplification attacks.
It doesn't limit amplification attacks by much if at all, and spoofing of fragments is not likely to be happening in large responses, because large responses will almost invariably be due to DNSSEC. Since 90% CAN handle fragments, those 90% SHOULD be able to use fragments, especially since the broken 10% will see higher lookup latency, NOT full failure to resolve. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
