DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

Simon Josefsson jas@extundo.com
Wed Jul 10 20:20:01 2002

Michael Graff <explorer@flame.org> writes:

> Simon Josefsson <jas@extundo.com> writes:
>> But to generate a 64kb UDP packet you need to have negotiated EDNS.0
>> with the other server.  Is it possible to spoof that negotiation?  I
>> don't know.  But this isn't endemic to this, IPv6 and DNSSEC is going
>> to generate bigger packages too, making it possible to exploit this in
>> the same way.  Hopefully EDNS.0 negotiations cannot be spoofed.
> There is no negotiation.  The sender says "I can receive up to X bytes
> in a UDP reply" and the sender will use up to X bytes to reply, or set
> the truncated bit.

Ah. Ok.  Then the keyserver should probably disable EDNS.0 then,
forcing clients to switch to TCP.  This seems to be a generic problem

> BTW, I'm one of the authors listed if you do a
>         dig authors.bind. chaos txt
> to a bind9 server.  :)

Then you should know. :-)