On Fri, 2020-07-31 at 00:23 +0100, Tony Finch wrote: > * should set the DONTFRAG option on responses > > * should listen for ICMP frag needed packets, and react by re-sending the > response (which is embedded in the ICMP packet) with a TC bit set
Only part of the response is embedded in the ICMP packet. With some luck, enough of the query is embedded in the ICMP packet (I'm unsure about EDNS). I'm unsure it's even easy for a user space process to get that ICMP packet. That all said, this sounds like a splendid way to allow 'request spoofing' even if everybody does BCP38 (ingress filtering). The ICMP packet could come from any IP (so no spoofing protection), but the ICMP *payload* which you then treat as believable IP headers is not subject to BCP38 checking, as far as I understand. I know we have a state problem in DNS servers forgetting about a query the moment they responded to it, but I don't think scavenging that query from incoming ICMP packets is the solution. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
