Re: [DNSOP] Should root-servers.net be signed

"George Barwood" <george.barwood@blueyonder.co.uk> Fri, 19 March 2010 13:09 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 184EE3A69B1 for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 06:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.778
X-Spam-Level: ***
X-Spam-Status: No, score=3.778 tagged_above=-999 required=5 tests=[AWL=-0.547, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGhC18ptRKN7 for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 06:09:07 -0700 (PDT)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by core3.amsl.com (Postfix) with ESMTP id 32A893A68C8 for <dnsop@ietf.org>; Fri, 19 Mar 2010 06:09:06 -0700 (PDT)
Received: from [172.23.170.146] (helo=anti-virus03-09) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1Nsbwu-0003Oq-Ok; Fri, 19 Mar 2010 13:09:13 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out2.blueyonder.co.uk with esmtpa (Exim 4.52) id 1Nsbwu-0005Lz-3O; Fri, 19 Mar 2010 13:09:12 +0000
Message-ID: <6D6F580F8CFB4DB5AB32566FB608088D@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost><0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca><alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk><A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca><43FC3F50679F458A869F99D72ECD1237@localhost><20100309151726.GC5108@dul1mcmlarson-l1-2.local> <6C56581E-D4F4-4A49-A3B4-CB7F1CF42E29@icsi.berkeley.edu> <183BEF785A9844F186558A87848A6698@localhost> <061F30F4-E0EE-40E6-A54D-246D9E9A9D77@ICSI.Berkeley.EDU>
Date: Fri, 19 Mar 2010 13:09:06 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Cc: dnsop@ietf.org, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 13:09:08 -0000

----- Original Message ----- 
From: "Nicholas Weaver" <nweaver@ICSI.Berkeley.EDU>
To: "George Barwood" <george.barwood@blueyonder.co.uk>
Cc: "Nicholas Weaver" <nweaver@ICSI.Berkeley.EDU>; "Matt Larson" <mlarson@verisign.com>; <dnsop@ietf.org>
Sent: Friday, March 19, 2010 12:33 PM
Subject: Re: [DNSOP] Should root-servers.net be signed

>On Mar 19, 2010, at 12:21 AM, George Barwood wrote:
>> I suggest the default value in BIND for max-udp-size should be 1450.
>> This appears to be best practice.
>> Since few zones are currently signed, it's not too late to make this change.
>> Later on it may be more difficult.


>Actually, I'd say this ONLY for the root and TLDs.  For the rest, the onus should be on the resolver to discover that it can't handle fragmentation and >adjust the MTU appropriately.

There are advantages besides messages being lost.
It also prevents spoofing of fragments, and limits amplification attacks.