>> There are advantages besides messages being lost. >> It also prevents spoofing of fragments, and limits amplification attacks.
>It doesn't limit amplification attacks by much if at all It cuts the response from 4K to 1.5K, and I think fragmentation that contributes to these attacks being damaging. > and spoofing of fragments is not likely to be happening in large responses, > because large .responses will almost invariably be due to DNSSEC. Resolvers may set DO=1 but not validate everything ( or even anything ). Taking .SE as an example, by sending an open resolver that doesn't/cannot randomize ports the query [ NS SE ] , if the .SE servers don't conceal the IP ID, only 1 spoof packet is needed, and poisoning is easy and certain, is it not? Note: the .SE example does not truncate, it's very unusual for a response to be truncated with a EDNS @ 1450. I think it's best to have a conservative value as the default setting, and that is 1450 bytes. George _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
