[dns-wg] [dns-operations] Announcement - DNS flag day on 2019-02-01
Florian Weimer fw at deneb.enyo.de
Thu Jun 14 07:34:56 CEST 2018
* Mark Andrews: >> On 14 Jun 2018, at 6:51 am, Florian Weimer <fw at deneb.enyo.de> wrote: >> >> * Petr Špaček: >> >>> you might be interested in information about "DNS flag day" coordinated >>> by open-source DNS vendors and is planned for 2019-02-01 >>> (February 1st 2019). >>> >>> Further information can be found on >>> https://dnsflagday.net/ >> >> Is there still no reduction of EDNS buffer size to around 1200 bytes? >> Isn't it time after ten years to address that particular >> vulnerability? > > If you are talking about fragmentation reassembly attacks you need to > use something with a cryptographic hash independent of EDNS. Or you can avoid fragmentation in the first place, which includes ignoring ICMP Fragmentation Needed But DF Bit Set messages. Unbound does that if you tell it to use it a buffer size which is sufficiently small. Theoretically, even with a 1200-byte EDNS buffer size, there could be IPv4 network paths which trigger fragmentation, but those will be unusual. Another benefit of this change is that many of the ENDS-related problems go away.
[ dns-wg Archives ]