[dns-operations] wrapup of fragmentation/do/tcp discussion requested

bert hubert bert.hubert at netherlabs.nl
Sun Jun 21 21:00:01 UTC 2009

> From: Patrik F?ltstr?m <patrik at frobbit.se>
> On 21 jun 2009, at 12.49, bert hubert wrote:
> > Was .se immune because it does not do NSEC3?
> What I have seen in the case of .SE is similar to what I saw when for
> example yahoo.com started to have response sizes larger than 512
> bytes, that EDNS0 is really necessary. I have not seen any problems in
> Sweden in reality what some "theoretical" discussions on this list
> refer to regarding size issues.

Well.. your common case is <512 bytes, for www.powerdns.se:  MSG SIZE  rcvd:

This might explain why you did not see anything drastic happening.

> What has been much more complicated is the sync:ing of keys between
> parent and child zones, i.e. keeping the DS up to date.

Would something like 'time to go live' records help? So you could

I'm thinking out loud here, if I have to do DNSSEC in PowerDNS, I might as
well do it right..


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list