[dns-operations] wrapup of fragmentation/do/tcp discussion requested

Mark Andrews marka at isc.org
Mon Jun 22 06:24:20 UTC 2009 

In message <20090622053322.GA5839 at outpost.ds9a.nl>, bert hubert writes:
> > From: Mark Andrews <marka at isc.org>
> > Date: Mon, Jun 22, 2009 at 2:11 AM
> > 
> >        1.  512 covers all the recoverable failure paths.
> >        2.  512 doesn't significantly change the amount of fallback to
> >            TCP due to fragmentation/DNS proxies.
> 
> '1' may very well be true, but '2' is as far as I can tell not backed up by
> figures. 
>
> >        3.  Some answer are less that 512 bytes in size.
> 
> No single referral from a zone signed with NSEC3 though, or using the
> parameters of GOV or ORG. 

	Did you check secure delegations?  Secure delegations are
	take less records with NSEC3.  DS + RRSIG v/s  1 or 2 NSEC3
	record + RRSIGs.

	ISC.ORG's delegation was less that 512 when ORG was first
	signed.  It should be again once the DS RRset goes in.

> >        5.  Not everyone is in a position to change the equipment that
> >            is blocking the responses to 4096 byte queries.
> 
> Well.. why not do a fallback to 1280 first? That does not require
> fragmentation, and does indeed have enough room to contain 99.9% of all
> typical DO=1 responses.

	And almost all those same answers will get through with
	EDNS at 4096.  DNSSEC referrals don't normally get fragmented
	and they are the ones that can protentially benfit from
	additional section record trimming.  It's the DNSKEY responses
	that get fragmented and they can be made minimal by the
	authoritative servers.

> I understand it is more work, but 1280 would basically mean 'business as
> usual' if there is (as I suspect) a large class of networks that can pass
> both 512 and 1280, but not 4096.
> 
> Is there a good reason not to try 1280?

	You need to fit all the fallbacks into the time it takes
	the stub resolver to timeout.

	Mark

>	Bert
> 
> -- 
> http://www.PowerDNS.com      Open source, database driven DNS Software 
> http://netherlabs.nl              Open and Closed source services
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list