Paul-san, > for unsigned responses, i think a v6 max-udp-size of 1220 and a v4 > max-udp-size of 512 is what's called for.
I believe typical datalinks of MTU=576 are (were) X.25 and SLIP (Of course, it's not RRL's one). And I believe both links are deprecated. And I know the IP specification defines the minimal MTU size to 576. So, we may need a very short RFC for updating the definition of MTU, in RFC 791. -- Orange From: Paul Vixie <[email protected]> Date: Mon, 09 Sep 2013 07:31:42 -0700 > ... > > Yasuhiro Orange Morishita / 森下泰宏 wrote: > > Paul-san, and folks, > > > > Now we (including me) have known the dangers and limitations, > > so should we set max-udp-size to 1220 on every authoritative servers? > > for unsigned responses, i think a v6 max-udp-size of 1220 and a v4 > max-udp-size of 512 is what's called for. i've not seen an explanation of how > dnssec-covered data can be poisoned, even with fragment attacks. orange, can > you write RFC 6891-bis? > > the messaging that would go out with this is, everybody needs to sign their > dns data, and everybody needs to validate, and if you're planning to send > large responses then your authority servers must be v6 reachable, and your v4 > performance will be low due to tcp. > > vixie > _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
