On Thu, Jan 16, 2014 at 12:42:36AM +0100, Hannes Frederic Sowa wrote: > On Wed, Jan 15, 2014 at 03:33:02PM -0800, Colm MacCárthaigh wrote: > > For DNS, we have the option to respond with a TC=1 response, so if I > > detected a datagram with suspicious or mismatching TTLs, TC=1 is a decent > > workaround. TCP is then much more robust against intermediary spoofing. I > > can't force the clients to use DF though. > > That would need to be implemented as cmsg access ancillary data and cannot > be done as a netfilter module (unless the DNS packet generation is also > implemented as netfilter target). Because this touches core code, this > really needs strong arguments to get accepted. Maybe this can be done > as part of the socket fragmentation notification work. I'll have a look > but want to think about how easy this can get circumvented first. Maybe > you already thought about that?
If my DTLS experiments turn out to be useable I guess I will add this feature because I would favour better estimated mtu limits during the handshake. As a new socket option would need to be designed for that, I guess a flags field indicating a mismatch on the ttl on incoming fragments wouldn't hurt. Thanks, Hannes _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
