[dns-operations] No public calendar for the root signing deployment
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Dec 14 14:52:06 UTC 2009
On Mon, Dec 14, 2009 at 05:43:16AM +0100, bert hubert wrote:
> On Mon, Dec 14, 2009 at 12:25:49AM +0100, Peter Koch wrote:
> > my point is that the "melody" of the message is very important. Nothing in
> > this very good article really rings an alarm bell or "warns" people.
> > It is "just" good technical information. The hard part is to tailor
> > the message towards the intended or even anticipated target audiences.
> > I'm all for openness and advance announcements, but some of the postings
> > in this thread could be read to suggest we're going to face a big experiment
> > with zillions of innocent victims being cut off the net.
>
> This is in fact what one root operator says, so it goes way beyond
> 'suggesting'.
>
> As bmanning said:
>
> from my limited scope testing (from one root) there are
> double-digit percentage of priming queries that will get
> hit with this problem... I think parts of the internet
> will go dark.
>
> https://lists.dns-oarc.net/pipermail/dns-operations/2009-December/004760.html
>
> So it is't the actual tone of the message that is worrying, it is also the
> music itself.
>
> Or is bill wrong? Because a root-priming query with EDNS enabled has been
> returning >512 answers for a long time now. Or perhaps BIND doesn't do that?
>
> Bert
its not really a bind issue - its more of a middlebox issue.
SSAC35 talks to this issue in some detail. and part of the reason
we don't see this already is that the responses that are >512 are not
priming queries - so the requestor gets -some- data back.
then there is the whole question of what to do with UDP fragmentation...
its going to be exciting times.
--bill
More information about the dns-operations
mailing list