[dns-operations] wrapup of fragmentation/do/tcp discussion requested
marka at isc.org
Mon Jun 22 00:59:57 UTC 2009
In message <DAD5F6A5-F5C9-40FD-90F2-CDD47AF951B3 at frobbit.se>, =?ISO-8859-1?Q?Pat
> On 21 jun 2009, at 12.49, bert hubert wrote:
> > Was .se immune because it does not do NSEC3?
> What I have seen in the case of .SE is similar to what I saw when for
> example yahoo.com started to have response sizes larger than 512
> bytes, that EDNS0 is really necessary. I have not seen any problems in
> Sweden in reality what some "theoretical" discussions on this list
> refer to regarding size issues.
> This is why I have asked a few times what issues people _really_ see
> with the size. I have still not understood. Is it that deployed
> hardware do throw away fragmented packets, that fragmentation does not
> happen, or ...
Patrik, the fear is that DNSSEC through 512 byte firewalls, will
result in a TCP load that will overwhelm servers, especially those
towards the top of the heirachy.
wessels_light_N46.pdf gives some insight.
This ORG server(cluster?) sees 6000 q/s which result in 60 tcp
connections a second from 100 UDP/TC responses a second.
About 50-70% of the world talks EDNS, almost all of which sets DO=1,
so scaling up would give 120 TCP conections / second.
The root's response profile is slightly differrent to that of a
TLD. 50% NXDOMAIN compared with 20% for ORG. Signed NXDOMAIN
responses have two RRSIG sets compared with one for a referral so
they tend to be slightly bigger. Signed NXDOMAIN will almost
certainly be bigger that 512 bytes, whereas a signed referral exceeds
512 bytes 90% of the time.
As long as the ratios of the signed responses [12..512], [513..1460],
[1461..4096] stay roughly the same between the roots and TLD servers
we should be able to safely extrapolate what will happen at the
roots when DNSEC is turned on.
> The only thing I can not have seen, even if it "would be a problem"
> would be the backoff to TCP in the case of a truncated response. I am
> not sitting with data from such servers so that I can respond. Other
> people on this list can say whether that has been a problem or not.
> What has been much more complicated is the sync:ing of keys between
> parent and child zones, i.e. keeping the DS up to date.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations