[Dnssec-deployment] First signed root zone published
Paul Vixie
vixie at isc.org
Sat Jul 17 12:46:23 EDT 2010
> From: "George Barwood" <george.barwood at blueyonder.co.uk>
> Date: Sat, 17 Jul 2010 06:38:00 +0100
>
> I have a security concern about the .SE domain.
why would this be specific to the .SE domain?
> It's easy to trigger responses > 1500 bytes, for example
>
> dig SOA se +dnssec
>
> This means that IP fragmentation will typically occur, and fragments (
> other than the first ) can easily be spoofed, since they contain neither
> the source port or the DNS ID field.
florian weimer pointed this out three years ago, we all thought about it,
we all moved on. (so, let's keep moving on.)
> I would therefore recommend that the UDP response size be limited to
> ~1400 bytes.
for all dnssec servers, or for just tld's, or for just .se? (and: please
explain the reasons for your answer?)
> Recent versions of BIND have an option to do this.
>
> Ideally this would be documented in rfc2671bis-edns0 , unfortunately that
> document seems to be making slow progress.
this whole line of inquiry is crazy by my standards.
More information about the Dnssec-deployment
mailing list