This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] [dns-operations] Announcement - DNS flag day on 2019-02-01
- Previous message (by thread): [dns-wg] [dns-operations] Announcement - DNS flag day on 2019-02-01
- Next message (by thread): [dns-wg] [dns-operations] Announcement - DNS flag day on 2019-02-01
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Florian Weimer
fw at deneb.enyo.de
Thu Jun 14 07:34:56 CEST 2018
* Mark Andrews: >> On 14 Jun 2018, at 6:51 am, Florian Weimer <fw at deneb.enyo.de> wrote: >> >> * Petr Špaček: >> >>> you might be interested in information about "DNS flag day" coordinated >>> by open-source DNS vendors and is planned for 2019-02-01 >>> (February 1st 2019). >>> >>> Further information can be found on >>> https://dnsflagday.net/ >> >> Is there still no reduction of EDNS buffer size to around 1200 bytes? >> Isn't it time after ten years to address that particular >> vulnerability? > > If you are talking about fragmentation reassembly attacks you need to > use something with a cryptographic hash independent of EDNS. Or you can avoid fragmentation in the first place, which includes ignoring ICMP Fragmentation Needed But DF Bit Set messages. Unbound does that if you tell it to use it a buffer size which is sufficiently small. Theoretically, even with a 1200-byte EDNS buffer size, there could be IPv4 network paths which trigger fragmentation, but those will be unusual. Another benefit of this change is that many of the ENDS-related problems go away.
- Previous message (by thread): [dns-wg] [dns-operations] Announcement - DNS flag day on 2019-02-01
- Next message (by thread): [dns-wg] [dns-operations] Announcement - DNS flag day on 2019-02-01
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]