DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)
Simon Josefsson
jas@extundo.com
Wed Jul 10 20:20:01 2002
Michael Graff <explorer@flame.org> writes:
> Simon Josefsson <jas@extundo.com> writes:
>
>> But to generate a 64kb UDP packet you need to have negotiated EDNS.0
>> with the other server. Is it possible to spoof that negotiation? I
>> don't know. But this isn't endemic to this, IPv6 and DNSSEC is going
>> to generate bigger packages too, making it possible to exploit this in
>> the same way. Hopefully EDNS.0 negotiations cannot be spoofed.
>
> There is no negotiation. The sender says "I can receive up to X bytes
> in a UDP reply" and the sender will use up to X bytes to reply, or set
> the truncated bit.
Ah. Ok. Then the keyserver should probably disable EDNS.0 then,
forcing clients to switch to TCP. This seems to be a generic problem
though.
> BTW, I'm one of the authors listed if you do a
>
> dig authors.bind. chaos txt
>
> to a bind9 server. :)
Then you should know. :-)