[dns-operations] All dual-stack DNS servers - any problem with it?
Mark Andrews
Mark_Andrews at isc.org
Fri May 18 12:55:51 UTC 2007
> > > dnssec requires edns.
> >
> > There are several setups out there limiting any EDNS query to 512 bytes.
>
> then those setups will preclude the use of dnssec.
>
> this isn't negotiable. anyone who breaks edns will break dnssec. anyone
> stuck in a place where edns doesn't work will have to tunnel dns over vpn.
512 - OPT (1 + 2 + 2 + 4 + 2) is 501. That's still enough
for most answers.
The real problem is how do you handle both packet loss and
non-rfc 1034 compliant servers that drop EDNS queries at
the same time?
If it is packet loss then you want to continue making EDNS queries.
If it is a broken server then you want to stop making EDNS queries.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list