<div dir="ltr"><div class="gmail_default" style="font-family:georgia,serif">ref:</div><div class="gmail_default" style="font-family:georgia,serif"><a href="https://thehackernews.com/2020/11/sad-dns-new-flaws-re-enable-dns-cache.html">https://thehackernews.com/2020/11/sad-dns-new-flaws-re-enable-dns-cache.html</a><br></div><div class="gmail_default" style="font-family:georgia,serif"><br></div><div class="gmail_default" style="font-family:georgia,serif">Is it appropriate to clamp edns to 1221 as suggested by the Microsoft Guidance here?</div><div class="gmail_default" style="font-family:georgia,serif"><a href="https://www.bleepingcomputer.com/news/security/microsoft-issues-guidance-for-dns-cache-poisoning-vulnerability/">https://www.bleepingcomputer.com/news/security/microsoft-issues-guidance-for-dns-cache-poisoning-vulnerability/</a><br></div><div class="gmail_default" style="font-family:georgia,serif"><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div class="gmail_default" style=""><font face="tahoma, sans-serif"># now clamped for CVE-2020-25705 mitigation SAD DNS</font></div><div class="gmail_default" style=""><font face="tahoma, sans-serif">edns-packet-max=1221</font></div><div class="gmail_default" style=""><font face="tahoma, sans-serif"><br></font></div></blockquote><font face="tahoma, sans-serif"><span class="gmail_default" style="font-family:georgia,serif">Or would this not even help?</span></font><div><font face="georgia, serif"><span class="gmail_default" style="font-family:georgia,serif">(I think my best effort has been enabling DNSSEC in dnsmasq.)</span><br></font><div><font face="tahoma, sans-serif"><span class="gmail_default" style="font-family:georgia,serif"><br></span></font></div><div><font face="tahoma, sans-serif"><span class="gmail_default" style="font-family:georgia,serif">Thank you for any advice, and</span></font></div><div><font face="tahoma, sans-serif"><span class="gmail_default" style="font-family:georgia,serif">best regards,</span></font></div><div><font face="tahoma, sans-serif"><span class="gmail_default" style="font-family:georgia,serif">Jim Alles</span></font></div></div></div>