logoalt Hacker News

Hizonneryesterday at 11:23 PM2 repliesview on HN

> Yes, but doesn't IPv6 also increase the "maximum safe UDP packet size" from 512 bytes to 1280?

Sure would be nice if people used IPv6. Even if you're actually sending data over IPv6, that doesn't mean the DNS lookups are going over IPv6. Infrastructure like that lags.

> This has been a flagged issue in DNSSEC since it was originally considered. This was a massive oversight on their part and was only added because DNSSEC originally made it quite easy to probe entire DNS trees and expose obscured RRs.

... probably because the people who originally designed DNSSEC (and DNS) couldn't believe that people would be crazy enough to try to keep their DNS records secret (or run split address spaces, for that matter). But anyway, whatever the reason, the replies are big and that has to be dealt with.

> Fair enough but are network clients actually meant to use DNSSEC?

You should be validating as close to the point of use as possible.

> Isn't this just an issue for authoritative and recursive DNSSEC resolvers to and down the roots?

If by "resolvers" you mean "local resolution-only servers", then that's common, but arguably bad, practice.

Anyway, using TCP also neuters DNS as a DoS amplifier, at least if you can make it universal enough to avoid downgrade attacks.

Replies

croteyesterday at 11:37 PM

> probably because the people who originally designed DNSSEC (and DNS) couldn't believe that people would be crazy enough to try to keep their DNS records secret

I wonder if it's time to just retire this mechanism. In 2025 you'd have to be crazy to not use encryption with an internet-facing host, which in practice usually means TLS, which means your hostname is already logged in Certificate Transparency logs and trivially enumerated.

show 1 reply
themafiayesterday at 11:35 PM

> couldn't believe that people would be crazy enough to try to keep their DNS records secret

You'd hope people working on DNS would have had broader actual experience with it. There was an ironic lack of paranoia in the DNSSEC people and they seemed overly focused on one peculiar problem, which is, it's easy to spoof DNS responses when you typically only have at most 2**16 - 1024 ports to choose from. They sort of ignored everything else.

> If by "resolvers" you mean "local resolution-only servers", then that's common, but arguably bad, practice.

I haven't kept pace with DNSSEC, but originally, this was the _recommended_ configuration. Has that changed?

> Anyway, using TCP also neuters DNS as a DoS amplifier,

We're ensuring all servers support TCP, but we're not anywhere near dropping UDP.

show 1 reply