moonshiner
commented
1 year ago Here is some suggested text:
An operational issue arises from the DNS protocol only being able to query for "all TXT records" at a single location: if multiple services all require TXT records, this can cause the DNS answer for TXT records to become very large. Also in large organizations there may be many different parts that be licensing a software requiring its own domain verification record. It has been observed that some well known domains had so many services, as well as different versions of the same service, deployed hat their DNS TXT answer did not fit in a single UDP DNS packet.
This results in fragmentation which is known to be vulnerable to various attacks ({{!AVOID-FRAGMENTATION=I-D.ietf-dnsop-avoid-fragmentation}}). It can also lead to UDP packet truncation, causing a retry over TCP. Not all networks properly transport DNS over TCP and some DNS software mistakenly believe TCP support is optional ({{RFC9210}}).
shuque
I'd also like to raise the visibility of the point regarding operational issues with ganging up TXT records for many applications at the zone apex. Right now, it is buried in section A.1.1 of the appendix. And I think it deserves to be highlighted prominently in its own section up front and not in the appendix. I will propose a PR for that.