Closed moonshiner closed 1 year ago
Here is some suggested text:
An operational issue arises from the DNS protocol only being able to query for "all TXT records" at a single location: if multiple services all require TXT records, this can cause the DNS answer for TXT records to become very large. Also in large organizations there may be many different parts that be licensing a software requiring its own domain verification record. It has been observed that some well known domains had so many services, as well as different versions of the same service, deployed hat their DNS TXT answer did not fit in a single UDP DNS packet.
This results in fragmentation which is known to be vulnerable to various attacks ({{!AVOID-FRAGMENTATION=I-D.ietf-dnsop-avoid-fragmentation}}). It can also lead to UDP packet truncation, causing a retry over TCP. Not all networks properly transport DNS over TCP and some DNS software mistakenly believe TCP support is optional ({{RFC9210}}).
I've been looking for ops documents or talks raising this with little luck
Tim - apologies that I did not see this issue before I already composed my text on this point.
I'd also like to raise the visibility of the point regarding operational issues with ganging up TXT records for many applications at the zone apex. Right now, it is buried in section A.1.1 of the appendix. And I think it deserves to be highlighted prominently in its own section up front and not in the appendix. I will propose a PR for that.