[dns-operations] wrapup of fragmentation/do/tcp discussion requested
marka at isc.org
Mon Jun 22 06:24:20 UTC 2009
In message <20090622053322.GA5839 at outpost.ds9a.nl>, bert hubert writes:
> > From: Mark Andrews <marka at isc.org>
> > Date: Mon, Jun 22, 2009 at 2:11 AM
> > 1. 512 covers all the recoverable failure paths.
> > 2. 512 doesn't significantly change the amount of fallback to
> > TCP due to fragmentation/DNS proxies.
> '1' may very well be true, but '2' is as far as I can tell not backed up by
> > 3. Some answer are less that 512 bytes in size.
> No single referral from a zone signed with NSEC3 though, or using the
> parameters of GOV or ORG.
Did you check secure delegations? Secure delegations are
take less records with NSEC3. DS + RRSIG v/s 1 or 2 NSEC3
record + RRSIGs.
ISC.ORG's delegation was less that 512 when ORG was first
signed. It should be again once the DS RRset goes in.
> > 5. Not everyone is in a position to change the equipment that
> > is blocking the responses to 4096 byte queries.
> Well.. why not do a fallback to 1280 first? That does not require
> fragmentation, and does indeed have enough room to contain 99.9% of all
> typical DO=1 responses.
And almost all those same answers will get through with
EDNS at 4096. DNSSEC referrals don't normally get fragmented
and they are the ones that can protentially benfit from
additional section record trimming. It's the DNSKEY responses
that get fragmented and they can be made minimal by the
> I understand it is more work, but 1280 would basically mean 'business as
> usual' if there is (as I suspect) a large class of networks that can pass
> both 512 and 1280, but not 4096.
> Is there a good reason not to try 1280?
You need to fit all the fallbacks into the time it takes
the stub resolver to timeout.
> http://www.PowerDNS.com Open source, database driven DNS Software
> http://netherlabs.nl Open and Closed source services
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations