|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Florian Weimer <fw@deneb.enyo.de> To: Michael Tokarev <mjt@tls.msk.ru> Cc: nanog@merit.edu Date: Mon, 16 May 2005 18:05:11 +0200 In-Reply-To: <4288B064.7080205@tls.msk.ru> (Michael Tokarev's message of "Mon, 16 May 2005 18:38:28 +0400") Errors-To: owner-nanog@merit.edu * Michael Tokarev: >> EDNS0 can be easily abused for traffic amplication purposes. 8-( > > Root and TLD nameservers rarely have large answers to queries to > exceed 512 bytes. The miscreants have partial write access to most TLD zones, so they can create record sets whose size approaches or exceeds 512 bytes. >(And for those rare cases if they exists, TCP > connection should be established to get a reply -- This seems to be Verisign's intent, and yet you still complain. > But this does not really matter. I repeat: One don't have to > "support" EDNS0, just don't report it as error, EDNS0-capable resolvers typically cache the information that another server doesn't support EDNS0. Returning FORMERR is compliant with RFC 2671. > like broken routers does with ECN. IIRC, the complaint with respect to ECN was that some routers dropped packets *without* signaling an error.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |