[Dnssec-deployment] First signed root zone published

Patrik Fältström patrik at frobbit.se
Sat Jul 17 03:42:12 EDT 2010


On 17 jul 2010, at 07.38, George Barwood wrote:

> This means that IP fragmentation will typically occur, and fragments ( other than the first ) can
> easily be spoofed, since they contain neither the source port or the DNS ID field.

Can you please show some real case where IP fragmentation has been a problem?

I have heard too many people talking about theoretical problems with fragmented UDP packets. When I ask people that run IP networks, they have not seen any problems. Problems might arise if you have fragmented IP packets, together with packet reordering and an incident when the 2nd packet arrive before the 1st. If you have a network where this happens, you might have other problems. But when I ask people about incidents like these, I have not heard of any.

Can people that do have problems with fragmented IP packets between on the public Internet (i.e. fragmentation between full service resolvers and authoritative nameservers) please contact me?

   Patrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100717/464d522a/attachment.bin 


More information about the Dnssec-deployment mailing list