A Deep Dive Into DNS Packet Sizes: Why Smaller Packet Sizes Keep The Internet Safe

The text discusses how attackers conduct DDoS attacks by exploiting DNS lookups with small queries and large answers, a method known as reflection attack. Domains with DNSSEC are particularly vulnerable to this type of abuse. To prevent such attacks on domains hosted on CloudFlare, the company implemented measures to ensure that most DNS responses fit within 512 bytes UDP packets even when signed with DNSSEC. This involved using a rarely-used signature algorithm and deprecating a DNS record type. The text also mentions the use of elliptic curve cryptography in ECDSA signature algorithm, which allows for smaller keys while maintaining the same level of security as larger RSA keys. Additionally, it explains how CloudFlare stopped answering ANY queries to prevent their misuse in launching large DDoS attacks and is working towards making ANY deprecation an Internet standard.