Re: [knot-dns-users] forcing minimal fragment size for IPv6 datagrams

I agree with Daisuke Higashi's comment on the issue tracker. There may be other applications running on the same server as Knot (e.g., a web server), so a global OS level configuration setting is probably not granular enough.

Are you referring to a “Fragmentation Considered Poisonous” style attack? One of the countermeasures described in that paper is: Yet another possible defense for name servers, is to always add a random RR to any packet over certain size (i.e., which may be fragmented). A simple type A resource record, containing random IP address for some fictitious domain name, would suffice. The TTL of such an RR should be set to zero to prevent the resolver from caching that record. This would prevent the attacker from being able to predict and (correctly) adjust the checksum value. If there are multiple vulnerable fragments, such a random RR should appear in each fragment. That is a little too fast and loose to be deployable in the real world, but it seems like EDNS cookies would serve the same purpose, at least in the two fragment case (and if the OPT RR is pushed to the end of the additional section to guarantee that it appears in the second fragment)?

There was a long thread a while back on the dns-operations mailing list that may be of interest, starting here: https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/004021.html