It is time to drop fragmentation (and pMTU discovery) in DNS. A research paper showed that there are many authoritative servers that accept any ICMP destination unreachable / fragmentation needed and DF set (pMTU response packets) and reduce packet size up to 296 bytes. Path MTU discovery is controlled by any attacker. Then the authors sent trigger queries and did second fragmentation attack to CA's resolvers.
https://dl.acm.org/citation.cfm?id=3243790 Domain Validation++ For MitM-Resilient PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael Waidner Fraunhofer SIT, TU Darmstadt Proposed solution is not good. DNS with TCP transport is enough, I think. I would like to propose to drop fragmentation and pMTU discovery in DNS. Authoritative servers should drop ICMP fragmentation needed, set static EDNS buffsize 1220, and set DF bit in responses. On resolver machines, I would like to drop fragmented response packets. We can write IP filter that drop fragmented packet to resolvers, but it is not beautiful. -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
