Add a knob in config for EDNS0 max buf size and setting the DF in UDP headers
We need to add two new config options as a defense for UDP fragmentation attack:
- set max EDNS0 buffer size
- set DF flag for UDP responses (where possible)
Unfortunatelly we cannot set this by default – although it would be easy on IPv6 (just set it to 1280), but for IPv4 the minimum fragment size is 48 bytes which is too low.
But still the experienced DNS administrator can pick a right value for his network.