Re: Recommended EDNS buffer sizes for nsd and unbound

Sat, 16 Nov 2019 02:58:52 -0800 

On Wednesday, September 18, 2019 22:03 +04, Loganaden Velvindron 
<[email protected]> wrote:

> On Wed, Sep 18, 2019 at 5:56 PM Florian Obser <[email protected]> wrote:
> >
> > On Tue, Sep 17, 2019 at 08:19:29PM +0400, logan wrote:
> > > Hi All,
> > >
> > > There was a presentation about fragmentation attacks against DNS:
> > > https://indico.dns-oarc.net/event/31/contributions/692/attachments/660/1115/fujiwara-5.pdf
> > >
> > > DNS Flag day 2020 recommends 1232 to avoid fragmentation in most
> > > common setups.
> > >
> >
> > What is upstream's stance on this?
> >
>
> They are still discussing the issue.

Upstream will follow recommendations of the draft.


>
>
>
> > > Index: src/etc/nsd.conf
> > > ===================================================================
> > > RCS file: /cvs/src/etc/nsd.conf,v
> > > retrieving revision 1.13
> > > diff -u -p -r1.13 nsd.conf
> > > --- src/etc/nsd.conf  16 Aug 2018 17:59:12 -0000      1.13
> > > +++ src/etc/nsd.conf  17 Sep 2019 15:43:48 -0000
> > > @@ -17,6 +17,11 @@ server:
> > >  ## on by default
> > >  #    refuse-any: yes
> > >
> > > +## respond with a small EDNS buffer size to avoid
> > > +## fragmentation attacks leading to spoofed DNS packets.
> > > +#    ipv4-edns-size: 1232
> > > +#    ipv6-edns-size: 1232
> > > +
> > >  remote-control:
> > >       control-enable: yes
> > >       control-interface: /var/run/nsd.sock
> > >
> > >
> > > Index: src/etc/unbound.conf
> > > ===================================================================
> > > RCS file: /cvs/src/etc/unbound.conf,v
> > > retrieving revision 1.17
> > > diff -u -p -r1.17 unbound.conf
> > > --- src/etc/unbound.conf      25 Aug 2019 15:50:21 -0000      1.17
> > > +++ src/etc/unbound.conf      17 Sep 2019 15:43:32 -0000
> > > @@ -39,9 +39,9 @@ server:
> > >
> > >       # UDP EDNS reassembly buffer advertised to peers. Default 4096.
> > >       # May need lowering on broken networks with fragmentation/MTU 
> > > issues,
> > > -     # particularly if validating DNSSEC.
> > > -     #
> > > -     #edns-buffer-size: 1480
> > > +     # particularly if validating DNSSEC.
> > > +     # A value around 1232 is recommended to avoid fragmentation attacks.
> > > +     #edns-buffer-size: 1232
> > >
> > >       # Use TCP for "forward-zone" requests. Useful if you are making
> > >       # DNS requests over an SSH port forwarding.
> > >
> >
> > --
> > I'm not entirely sure you are real.
> >

Reply via email to