----- Original Message ----- From: "Nicholas Weaver" <nwea...@icsi.berkeley.edu> To: "George Barwood" <george.barw...@blueyonder.co.uk> Cc: "Nicholas Weaver" <nwea...@icsi.berkeley.edu>; <dnsop@ietf.org> Sent: Saturday, March 20, 2010 2:26 PM Subject: Re: [DNSOP] Should root-servers.net be signed
On Mar 20, 2010, at 1:50 AM, George Barwood wrote: >>> Enshrining "tho shalt never fragment" into the Internet Architecture is >>> dangerous, and will cause far MORE problems. Having something which >>> >>regularly exercises fragmentation as critical to the infrastructure and >>> we wouldn't have this problem where 10% of the resolvers are broken WRT >>> >>fragmentation. >> >> I'm not suggesting that. If the higher level protocol has definite security >> checks, or security is not important, >> fragmentation is ok. But for DNSSEC neither of these is true. >Then what you're arguing here is don't request stuff with DO unless you are >willing to validate. Given the exercise of DO requesting is done (the >>firewalls have figured it out), drop DO on unvalidated traffic, don't drop >fragmentation. What I'm suggesting is that there is currently a real security problem (worse than Kaminsky), and the most practical way to fix it is for servers not to send UDP responses that will fragment. For example, the recently signed UK zone, which is an immediate concern for me. There is no practical reduction in performance for zones that mostly issue referrals. Normal responses will easily fit into 1450 byte packets for sensible key sizes ( actually much less - about 800 bytes should be sufficient, maybe a bit more during key rollover ). _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
