North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Verisign broke GTLDs again?

  • From: Florian Weimer
  • Date: Mon May 16 12:08:45 2005

* Michael Tokarev:

>> EDNS0 can be easily abused for traffic amplication purposes. 8-(
>
> Root and TLD nameservers rarely have large answers to queries to
> exceed 512 bytes.

The miscreants have partial write access to most TLD zones, so they
can create record sets whose size approaches or exceeds 512 bytes.

>(And for those rare cases if they exists, TCP
> connection should be established to get a reply --

This seems to be Verisign's intent, and yet you still complain.

> But this does not really matter.  I repeat: One don't have to
> "support" EDNS0, just don't report it as error,

EDNS0-capable resolvers typically cache the information that another
server doesn't support EDNS0.  Returning FORMERR is compliant with RFC
2671.

> like broken routers does with ECN.

IIRC, the complaint with respect to ECN was that some routers dropped
packets *without* signaling an error.