[dns-operations] No public calendar for the root signing deployment

Florian Weimer fweimer at bfk.de
Fri Dec 11 08:33:43 UTC 2009


* Paul Vixie:

> here's a survey of which root name servers are setting DF=1 on their
> responses.  this must stop before the signed root is published.

Note that this requires some sort of policy decision from the
operator, it is impossible to test this exhaustively from the outside.
My current list matches yours, though.

The same issue technically affects TCP service as well.  But there,
Ebay has forced everyone with a sub-1500 MTU to advertise a smaller
TCP maximum segment size, and PPPoE implementations where changed to
implement MSS clamping by rewriting outgoing TCP packets.  The end
effect is that hosts with smaller MTUs can connect to sites which
improperly filter ICMP traffic, breaking path MTU discovery.

Similar logic could be applied to DNS packets, but I think we all
rather like to avoid DNS packet mangeling by CPE routers/modems.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the dns-operations mailing list