Paul Wouters via Datatracker wrote on 2023-12-29 11:37:
Paul Wouters has entered the following ballot position for
draft-ietf-dnsop-avoid-fragmentation-16: Yes
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
...
If what you want is "we really really want this but it cannot be done on every
OS",
then I think SHOULD instead of MUST is fine, but MAY seems too weak.
I agree.
R7. UDP requestors MAY drop fragmented DNS/UDP responses without
IP reassembly to avoid cache poisoning attacks.
R8. DNS responses may be dropped by IP fragmentation. Upon a
timeout, to avoid resolution failures, UDP requestors MAY retry
using TCP or UDP with a smaller EDNS requestor's maximum UDP
payload size per local policy.
Same here. R7 and R8 are "recommendations" so I feel the MAY's should be
SHOULDs.
Otherwise the recommendation becomes "do whatever you MAY please", in which case
why are these in the document?
I agree.
R9. Use a smaller number of name servers (13 may be too large)
I would say "name server names" instead of "name servers", to avoid any
ambiguity
of anycast name servers operating under the same name. Eg the document is not
saying "use less than 13 name servers", but it is saying "use less than 13 name
server names"
I agree.
smaller than those usually used for RSA.
smaller than those of equivalent cryptographic strength using RSA
I agree.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
