[dns-operations] All dual-stack DNS servers - any problem with it?

Geoffrey Sisson geoff at nominet.org.uk
Fri May 18 10:52:47 UTC 2007


Lutz Donnerhacke <lutz at iks-jena.de> wrote on 2007-05-18 07:53:36:

> * Paul Vixie wrote:
> >> If we limit the DNS size to 512 bytes, the results are frustrating: 
Every
> >> possible response is truncated, because the RRSIG is too long.
> >
> > dnssec requires edns.
> 
> There are several setups out there limiting any EDNS query to 512 bytes.

Anyone deploying DNSSEC on the server side is likely to use an
implementation which uses the required minimum message size of
1220 octets (and probably larger).

Anyone deploying DNSSEC on the resolver side is likely to use an
implementation which uses the required minimum message size of
1220 octets (and probably larger).

Admittedly, one danger is broken middleboxes which block DNS
packets with message size > 512 regardless of whether an OPT RR
is present.  (This received a lot of attention a few years ago.
Does anyone have any sense of whether this problem is getting
better or worse?)

In any case, the truncation you describe will not occur under
normal circumstances.  (It can be made to occur if unnecessarily
large ZSK sizes are used or if a large number of ZSKs have
been used to sign the zone.)

Geoff



More information about the dns-operations mailing list