[dns-operations] wrapup of fragmentation/do/tcp discussion requested

Patrik Fältström patrik at frobbit.se
Mon Jun 22 06:48:42 UTC 2009

On 22 jun 2009, at 02.59, Mark Andrews wrote:

> Patrik, the fear is that DNSSEC through 512 byte firewalls, will
> result in a TCP load that will overwhelm servers, especially those
> towards the top of the heirachy.
> wessels_light_N46.pdf gives some insight.

What I see in this pdf (thanks for the pointer, I must have missed it  
earlier) is that there is an increase in transactions over TCP. I also  
see a high number of queries without EDNS0 size.

I do not see this specifically be due to firewalls. But, I will based  
on this do "another round at Cisco" talking with people.

I.e. what I saw some years ago was a problem with packet sizes larger  
than 512 bytes, and this when for example Yahoo! started to have large  
response sizes when queried for A. We updated our code in the PIX (for  
example) and the complaints that where visible to me went away. I.e. I  
have not heard about such problems for a while, so I wanted to know.

I even thought firewalls today that do not support EDNS0 would also  
not allow DNS queries over TCP. At least that is a very common problem  
I see, and in those cases the result of failed EDNS negotiation (or  
blocking of response size >512 would not result in a TCP fallback.

I'll do another round at Cisco and see what I can find.


More information about the dns-operations mailing list