>> It cuts the response from 4K to 1.5K, and I think fragmentation that >> contributes >> to these attacks being damaging.
> All I need to do is find a set of open resolvers which don't have such limits > to do juuust fine. Eventually the open resolvers will get updated, and thus these attacks will be effectively limited. I don't think anyone has conclusively proved they are not a risk. > Actually, this doesn't apply, since the reason why ns.se is 2700B is all the > RRSIGs in the additional section, which are after the A and AAAA records. So > spoofing this part of the datagrams is pointless anyway, since that only has > meaning if DNSSEC validation IS performed. Hold on - can't the spoofer can put whatever he likes in the fragment!? He is not limited to RRSIGs. George _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop