[dns-operations] best way to reprime root-hints?

Mark Andrews Mark_Andrews at isc.org
Tue Feb 5 02:17:03 UTC 2008


> Joe,
> 
> On Feb 4, 2008, at 4:45 PM, Joe Abley wrote:
> >>> Why hope when you can just try it? There are only 13 to try :-)
> >> This assumes the name servers running on all instances are the  
> >> same.  Are they?
> >
> > Well, true. What I failed to prove was that there was a single  
> > instance of one of the root servers that didn't support EDNS0 that  
> > was easy to find, for me, from here. I appreciate that that's not  
> > the question I asked myself.
> 
> Out of curiosity, are all the f root instances running the same code?
> 
> >> P.S. I think setting the limit arbitrarily to 1200 is likely a  
> >> mistake.  Someday, not only will we have 13 AAAAs and 13 As, but we  
> >> may also have DNSSEC cruft.  Not sure all of that will fit in 1200...
> >
> > Since we don't have additional cruft today, it seemed like a  
> > reasonable number to pick out of the air for the sole purpose of an  
> > example :-)
> 
> Sorry: this bit was for Bert (if I read the diffs he mentioned  
> correctly, 1200 is hardwired into the code).

	If DO is set then 1200 is way to small for almost any DNSSEC
	response.  The only time you want EDNS to use sizes this
	small is when you are behind a broken NAT/firewall that
	doesn't allow / support fragmented responses and you are
	trying to prevent fragmention.
 
> Regards,
> -drc
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list