Puneet Sood <[email protected]> writes:
> Independent of the decision on EDE forwarding and caching, the I-D
> needs to have some guidance for it [truncation]. The EXTRA-TEXT field
> may be obtained from configuration and it is possible that the
> resulting DNS message will exceed UDP message size limit in the
> request.
I added this text to the next version:
<t>When the response grows beyond the requestor's UDP payload
size <xref target="RFC6891" />, servers SHOULD truncate messages
by dropping EDE options before dropping other data from
packets. Implementations SHOULD set the truncation bit when
dropping EDE options.</t>
(and we'll have a forwarding discussion in Singapore)
> > * 14.5.0.4 NOCHANGE 5. Security Considerations
> >
> > Para 2: "This information is unauthenticated information, and an
> > attacker (e.g a MITM or malicious recursive server) could insert an
> > extended error response into already untrusted data ..." Comment:
> > Agree with some other comments that this is not relevant since no
> > action is expected to be taken based on EDEs. Comment: There are
> > ideas in the thread to have links to info in the EXTRA-TEXT and
> > possibly display it to users. I guess the usual warnings to not
> > click on potentially unsafe links apply.
> >
> > + Yeah, it really would be remiss to leave out that point. There may
> > be nothing we can do, but the whole point of a security
> > consideration is to properly disclose any known threats/issues.
>
> I do not see text mentioning this.
I think we're miscommunicating. Can you propose concrete text changes?
--
Wes Hardaker
USC/ISI
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
