Sorry, too late response. I could not understand second paragraph about TSIG.
> From: Mark Andrews <ma...@isc.org> > Firstly you are insane to recommend dropping PTB’s. That will break lots of > things > including TCP. Thanks. I agree. I mainly concerned on IPv4. Dropping IPv4 ICMP "fragmentation needed and DF set" and IPv6 PTB may cause TCP problem. Then my proposal changed as follows: Authoritative servers should set static EDNS buffsize 1220. (and set DF bit in responses on IPv4). Full-service resolvers should set static EDNS buffsize 1220 and should drop fragmented DNS response packets by packet filters. IPv4: drop UDP and source port 53, More fragment bit = 1 IPv6: drop packets that have NextHeader = Fragment, fragment offset=0, more fragment = 1, hext header=UDP UDP, source port 53 TCP will work if the end node is under ICMP PTB/need fragment attack and path MTU becomes under 300. > Secondly we could just use a well known TSIG key and have the authoritative > servers add > it to their configuration today, especially the root and TLDs servers. The > recursive > servers could also add the key for root and TLD servers they know have > installed the > the well known key. This is easy to test with tools like dig. Do you mean TSIG protects from second fragmentation attacks ? Regards, -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop