Thank you for your reply. I have added some comments in-line. On Thu, May 2, 2024 at 10:42 AM Ben Schwartz wrote:
> It seems like this draft says that the indicated MRDS overrides the EDNS > BUFSIZE value. This seems likely to create problems if the MRDS value > could be set by a lower layer in the stack or a downstream processing > component (without knowledge of DNS), resulting in responses that are too > large for the DNS client's allocated buffer. In other words, just because > I am capable of receiving very large UDP packets does not mean that I am > capable of processing very large DNS responses. > This actually should not be a concern, as the intent is that UDP options are sent, or responded to, ONLY at the explicit behest of the upper layer. In other words they are always opt-in. In this instance, the upper layer would have to explicitly ask for the MRDS option to be included in the outgoing request, and would have to set the MRDS size appropriately (which would mean, the lesser of its own buffer capacity and what the system would support). > In general, support for very large DNS responses in UDP is considered > harmful because of the potential for reflection-amplification attacks. For > this reason, as well as concerns about legacy compatibility and general > complexity, I think we would be better off not attempting to use UDP > Options with DNS. > Point taken - fallback to TCP does not have this particular vulnerability. Respectfully, Mike Heard
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
