[dns-operations] wrapup of fragmentation/do/tcp discussion requested

Mark Andrews marka at isc.org
Mon Jun 22 00:59:57 UTC 2009

In message <DAD5F6A5-F5C9-40FD-90F2-CDD47AF951B3 at frobbit.se>, =?ISO-8859-1?Q?Pat
rik_F=E4ltstr=F6m?= writes:
> On 21 jun 2009, at 12.49, bert hubert wrote:
> > Was .se immune because it does not do NSEC3?
> What I have seen in the case of .SE is similar to what I saw when for  
> example yahoo.com started to have response sizes larger than 512  
> bytes, that EDNS0 is really necessary. I have not seen any problems in  
> Sweden in reality what some "theoretical" discussions on this list  
> refer to regarding size issues.
> This is why I have asked a few times what issues people _really_ see  
> with the size. I have still not understood. Is it that deployed  
> hardware do throw away fragmented packets, that fragmentation does not  
> happen, or ...

Patrik, the fear is that DNSSEC through 512 byte firewalls, will
result in a TCP load that will overwhelm servers, especially those
towards the top of the heirachy.

wessels_light_N46.pdf gives some insight.

This ORG server(cluster?) sees 6000 q/s which result in 60 tcp
connections a second from 100 UDP/TC responses a second.

About 50-70% of the world talks EDNS, almost all of which sets DO=1,
so scaling up would give 120 TCP conections / second.

The root's response profile is slightly differrent to that of a
TLD.  50% NXDOMAIN compared with 20% for ORG.  Signed NXDOMAIN
responses have two RRSIG sets compared with one for a referral so
they tend to be slightly bigger.  Signed NXDOMAIN will almost
certainly be bigger that 512 bytes, whereas a signed referral exceeds
512 bytes 90% of the time.

As long as the ratios of the signed responses [12..512], [513..1460],
[1461..4096] stay roughly the same between the roots and TLD servers
we should be able to safely extrapolate what will happen at the
roots when DNSEC is turned on.


> The only thing I can not have seen, even if it "would be a problem"  
> would be the backoff to TCP in the case of a truncated response. I am  
> not sitting with data from such servers so that I can respond. Other  
> people on this list can say whether that has been a problem or not.
> What has been much more complicated is the sync:ing of keys between  
> parent and child zones, i.e. keeping the DS up to date.
>     Patrik
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list