On Thu, 12 Nov 2015 08:00:50 -0800 Nicholas Weaver <nwea...@icsi.berkeley.edu> wrote:
> We've done some of this in Netalyzr. Captive portals in particular > are a problem, with about 1% of systems measured in Netalyzr unable > to use EDNS0 to get DNSSEC information either from the recursive > resolver OR directly from the roots. After a DNS over TCP discussion a student of mine indicated that they recently fixed a problem in their network where DNS messages over 512 bytes were not being relayed. It appears the root cause has to do with some defaults being set common gear that simply drops messages over 512 bytes. For example: <http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5> !-- Enable a maximum message length to help defeat DNS !-- amplification attacks. Note: This is the default !-- configuration and value based on RFC 1035. ! message-length maximum 512 This contradicts what IETF RFC 6891 (EDNS0, April 2013) now says: 6.2.6. Support in Middleboxes [...] Conformant middleboxes MUST NOT limit DNS messages over UDP to 512 bytes. John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop