[dns-operations] wrapup of fragmentation/do/tcp discussion requested
Patrik Fältström
patrik at frobbit.se
Mon Jun 22 06:55:20 UTC 2009
On 21 jun 2009, at 23.00, bert hubert wrote:
> Well.. your common case is <512 bytes, for www.powerdns.se: MSG
> SIZE rcvd:
> 307
>
> This might explain why you did not see anything drastic happening.
Correct, but we did pretty quickly see issues with some home gateways
that did not handle the signalling correctly. So the incidents that we
would have got would have been very visible.
>> What has been much more complicated is the sync:ing of keys between
>> parent and child zones, i.e. keeping the DS up to date.
>
> Would something like 'time to go live' records help? So you could
> pre-distribute?
No. This has to do with for example lack of standardized protocol for
transfer of DS key material between DNS operator and registrar,
registrars not supporting DNSSEC (so after a transfer of a signed
domain, what to do?) and DNS operators (the domain is delegated to) is
not supporting DNSSEC.
But we are working on mitigating those things with some implicit
removal of keys at some specific epp transactions, tests of
delegations and keys etc. We are just letting Patrik Wallström that is
really key to this discussion have his vacation as he (a) really needs
the vacation and (b) is moving at the same time.
I hope Afilias/PIR have been thinking about that. I was part of their
DNSSEC deployment project for a while to sync with what has happened
in Sweden, but I have lost contact about 2 years ago. I am happy to
reconnect (hint hint, if anyone at Afilias/PIR see this).
Patrik
More information about the dns-operations
mailing list