[tasqa]

Looking for a quick mitigation technique before patches start rolling out... Would it be wise to limit responses to 512 bytes so the payload cannot be loaded?

Configuring BIND to use a specific buffer size (only for BIND 9.3.2 and newer):

Add the following line to the "options" section of your named.conf file:

edns-udp-size: n

Configuring Unbound to use a specific buffer size:

Add the following line to the "server" section of your unbound.conf file:

edns-buffer-size: n

source: https://labs.ripe.net/Members/anandb/content-testing-your-re...

[sveiss]

I haven't tested it, but I'd expect not. Given a limited EDNS0 buffer size, UDP responses would either come back with a truncated flag or not at all. Either case would trigger a TCP retry, and the bug can be triggered that way.

[rayvd]

I feel like this would depend where in the BIND code the size restriction is being enforced.

Sounds promising, however.