Puneet Sood <pune...@google.com> writes: > Independent of the decision on EDE forwarding and caching, the I-D > needs to have some guidance for it [truncation]. The EXTRA-TEXT field > may be obtained from configuration and it is possible that the > resulting DNS message will exceed UDP message size limit in the > request.
I added this text to the next version: <t>When the response grows beyond the requestor's UDP payload size <xref target="RFC6891" />, servers SHOULD truncate messages by dropping EDE options before dropping other data from packets. Implementations SHOULD set the truncation bit when dropping EDE options.</t> (and we'll have a forwarding discussion in Singapore) > > * 14.5.0.4 NOCHANGE 5. Security Considerations > > > > Para 2: "This information is unauthenticated information, and an > > attacker (e.g a MITM or malicious recursive server) could insert an > > extended error response into already untrusted data ..." Comment: > > Agree with some other comments that this is not relevant since no > > action is expected to be taken based on EDEs. Comment: There are > > ideas in the thread to have links to info in the EXTRA-TEXT and > > possibly display it to users. I guess the usual warnings to not > > click on potentially unsafe links apply. > > > > + Yeah, it really would be remiss to leave out that point. There may > > be nothing we can do, but the whole point of a security > > consideration is to properly disclose any known threats/issues. > > I do not see text mentioning this. I think we're miscommunicating. Can you propose concrete text changes? -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop