Sorry, too late response. I could not understand second paragraph about TSIG.
> From: Mark Andrews <ma...@isc.org>
> Firstly you are insane to recommend dropping PTB’s. That will break lots of
> things
> including TCP.
Thanks. I agree.
I mainly concerned on IPv4. Dropping IPv4 ICMP "fragmentation needed
and DF set" and IPv6 PTB may cause TCP problem.
Then my proposal changed as follows:
Authoritative servers should set static EDNS buffsize 1220.
(and set DF bit in responses on IPv4).
Full-service resolvers should set static EDNS buffsize 1220
and should drop fragmented DNS response packets by packet filters.
IPv4: drop UDP and source port 53, More fragment bit = 1
IPv6: drop packets that have NextHeader = Fragment,
fragment offset=0, more fragment = 1, hext header=UDP
UDP, source port 53
TCP will work if the end node is under ICMP PTB/need fragment attack
and path MTU becomes under 300.
> Secondly we could just use a well known TSIG key and have the authoritative
> servers add
> it to their configuration today, especially the root and TLDs servers. The
> recursive
> servers could also add the key for root and TLD servers they know have
> installed the
> the well known key. This is easy to test with tools like dig.
Do you mean TSIG protects from second fragmentation attacks ?
Regards,
--
Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
