On Wed, Sep 18, 2019 at 5:56 PM Florian Obser <[email protected]> wrote: > > On Tue, Sep 17, 2019 at 08:19:29PM +0400, logan wrote: > > Hi All, > > > > There was a presentation about fragmentation attacks against DNS: > > https://indico.dns-oarc.net/event/31/contributions/692/attachments/660/1115/fujiwara-5.pdf > > > > DNS Flag day 2020 recommends 1232 to avoid fragmentation in most > > common setups. > > > > What is upstream's stance on this? >
They are still discussing the issue. > > Index: src/etc/nsd.conf > > =================================================================== > > RCS file: /cvs/src/etc/nsd.conf,v > > retrieving revision 1.13 > > diff -u -p -r1.13 nsd.conf > > --- src/etc/nsd.conf 16 Aug 2018 17:59:12 -0000 1.13 > > +++ src/etc/nsd.conf 17 Sep 2019 15:43:48 -0000 > > @@ -17,6 +17,11 @@ server: > > ## on by default > > # refuse-any: yes > > > > +## respond with a small EDNS buffer size to avoid > > +## fragmentation attacks leading to spoofed DNS packets. > > +# ipv4-edns-size: 1232 > > +# ipv6-edns-size: 1232 > > + > > remote-control: > > control-enable: yes > > control-interface: /var/run/nsd.sock > > > > > > Index: src/etc/unbound.conf > > =================================================================== > > RCS file: /cvs/src/etc/unbound.conf,v > > retrieving revision 1.17 > > diff -u -p -r1.17 unbound.conf > > --- src/etc/unbound.conf 25 Aug 2019 15:50:21 -0000 1.17 > > +++ src/etc/unbound.conf 17 Sep 2019 15:43:32 -0000 > > @@ -39,9 +39,9 @@ server: > > > > # UDP EDNS reassembly buffer advertised to peers. Default 4096. > > # May need lowering on broken networks with fragmentation/MTU issues, > > - # particularly if validating DNSSEC. > > - # > > - #edns-buffer-size: 1480 > > + # particularly if validating DNSSEC. > > + # A value around 1232 is recommended to avoid fragmentation attacks. > > + #edns-buffer-size: 1232 > > > > # Use TCP for "forward-zone" requests. Useful if you are making > > # DNS requests over an SSH port forwarding. > > > > -- > I'm not entirely sure you are real. >
