DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Bill Manning <bmanning@isi.edu>
Cc: dnssec@cafax.se
From: Mark.Andrews@isc.org
Date: Thu, 19 Sep 2002 12:17:36 +1000
In-reply-to: Your message of "Tue, 17 Sep 2002 11:14:03 MST." <200209171814.g8HIE3p03471@boreas.isi.edu>
Sender: owner-dnssec@cafax.se
Subject: Re: key length & fragmentation


> 	See the point above. If IDS/firewalls toss UDP fragments,
> 	we loose.

	Firewalls that toss UDP fragments are inherently broken.

	This is no different to CISCO's PIX firewall.  It drops
	DNS/UDP responses that are greater that 512 bytes whether
	they are fragmented or not.  No one here would argue that
	we should not proceed with EDNS because of this.

	Similarly we should not constrain EDNS because some firewalls
	can't cope with fragmented UDP.  The firewalls should be fixed
	in the meantime the clients are perfectly able to reduce the
	the advertised buffer size if they wish however that default
	should not be this small.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

Follow-Ups:
- Re: key length & fragmentation
  - From: Bill Manning <bmanning@isi.edu>

References:
- Re: key length & fragmentation
  - From: Bill Manning <bmanning@isi.edu>

Prev by Date: Re: key length & fragmentation
Next by Date: Re: key length & fragmentation
Prev by thread: Re: key length & fragmentation
Next by thread: Re: key length & fragmentation
Index(es):
- Date
- Thread

Home | Date list | Subject list