[dns-operations] wrapup of fragmentation/do/tcp discussion requested
patrik at frobbit.se
Mon Jun 22 06:48:42 UTC 2009
On 22 jun 2009, at 02.59, Mark Andrews wrote:
> Patrik, the fear is that DNSSEC through 512 byte firewalls, will
> result in a TCP load that will overwhelm servers, especially those
> towards the top of the heirachy.
> wessels_light_N46.pdf gives some insight.
What I see in this pdf (thanks for the pointer, I must have missed it
earlier) is that there is an increase in transactions over TCP. I also
see a high number of queries without EDNS0 size.
I do not see this specifically be due to firewalls. But, I will based
on this do "another round at Cisco" talking with people.
I.e. what I saw some years ago was a problem with packet sizes larger
than 512 bytes, and this when for example Yahoo! started to have large
response sizes when queried for A. We updated our code in the PIX (for
example) and the complaints that where visible to me went away. I.e. I
have not heard about such problems for a while, so I wanted to know.
I even thought firewalls today that do not support EDNS0 would also
not allow DNS queries over TCP. At least that is a very common problem
I see, and in those cases the result of failed EDNS negotiation (or
blocking of response size >512 would not result in a TCP fallback.
I'll do another round at Cisco and see what I can find.
More information about the dns-operations