On 3/19/10 8:32 AM, George Barwood wrote:
There are advantages besides messages being lost.
It also prevents spoofing of fragments, and limits amplification attacks.
It doesn't limit amplification attacks by much if at all
It cuts the response from 4K to 1.5K, and I think fragmentation that contributes
to these attacks being damaging.
and spoofing of fragments is not likely to be happening in large responses,
because large .responses will almost invariably be due to DNSSEC.
Resolvers may set DO=1 but not validate everything ( or even anything ).
Taking .SE as an example, by sending an open resolver that doesn't/cannot
randomize ports the query [ NS SE ] ,
if the .SE servers don't conceal the IP ID, only 1 spoof packet is needed, and
poisoning is easy and certain, is it not?
Note: the .SE example does not truncate, it's very unusual for a response to be
truncated with a EDNS @ 1450.
I think it's best to have a conservative value as the default setting, and that
is 1450 bytes.
1450 is not a conservative value anymore.
See RFC2460 Section 5.
(dealing with IPv6/1280 -> IPv4/<1280)
,---
In response to an IPv6 packet that is sent to an IPv4 destination
(i.e., a packet that undergoes translation from IPv6 to IPv4), the
originating IPv6 node may receive an ICMP Packet Too Big message
reporting a Next-Hop MTU less than 1280. In that case, the IPv6 node
is not required to reduce the size of subsequent packets to less than
1280, but must include a Fragment header in those packets so that the
IPv6-to-IPv4 translating router can obtain a suitable Identification
value to use in resulting IPv4 fragments. Note that this means the
payload may have to be reduced to 1232 octets (1280 minus 40 for the
IPv6 header and 8 for the Fragment header), and smaller still if
additional extension headers are used.
'---
This should guide the recommended DNS message size fallback of say
1232 or less, depending upon other extension headers being used.
Bill Manning suggested 1220B, see:
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg02996.html
-Doug
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
