[dns-operations] wrapup of fragmentation/do/tcp discussion requested
bert hubert
bert.hubert at netherlabs.nl
Sun Jun 21 21:00:01 UTC 2009
> From: Patrik F?ltstr?m <patrik at frobbit.se>
> On 21 jun 2009, at 12.49, bert hubert wrote:
>
> > Was .se immune because it does not do NSEC3?
>
> What I have seen in the case of .SE is similar to what I saw when for
> example yahoo.com started to have response sizes larger than 512
> bytes, that EDNS0 is really necessary. I have not seen any problems in
> Sweden in reality what some "theoretical" discussions on this list
> refer to regarding size issues.
Well.. your common case is <512 bytes, for www.powerdns.se: MSG SIZE rcvd:
307
This might explain why you did not see anything drastic happening.
> What has been much more complicated is the sync:ing of keys between
> parent and child zones, i.e. keeping the DS up to date.
Would something like 'time to go live' records help? So you could
pre-distribute?
I'm thinking out loud here, if I have to do DNSSEC in PowerDNS, I might as
well do it right..
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the dns-operations
mailing list