[dns-operations] wrapup of fragmentation/do/tcp discussion requested

Patrik Fältström patrik at frobbit.se
Mon Jun 22 06:55:20 UTC 2009

On 21 jun 2009, at 23.00, bert hubert wrote:

> Well.. your common case is <512 bytes, for www.powerdns.se:  MSG  
> SIZE  rcvd:
> 307
> This might explain why you did not see anything drastic happening.

Correct, but we did pretty quickly see issues with some home gateways  
that did not handle the signalling correctly. So the incidents that we  
would have got would have been very visible.

>> What has been much more complicated is the sync:ing of keys between
>> parent and child zones, i.e. keeping the DS up to date.
> Would something like 'time to go live' records help? So you could
> pre-distribute?

No. This has to do with for example lack of standardized protocol for  
transfer of DS key material between DNS operator and registrar,  
registrars not supporting DNSSEC (so after a transfer of a signed  
domain, what to do?) and DNS operators (the domain is delegated to) is  
not supporting DNSSEC.

But we are working on mitigating those things with some implicit  
removal of keys at some specific epp transactions, tests of  
delegations and keys etc. We are just letting Patrik Wallström that is  
really key to this discussion have his vacation as he (a) really needs  
the vacation and (b) is moving at the same time.

I hope Afilias/PIR have been thinking about that. I was part of their  
DNSSEC deployment project for a while to sync with what has happened  
in Sweden, but I have lost contact about 2 years ago. I am happy to  
reconnect (hint hint, if anyone at Afilias/PIR see this).


More information about the dns-operations mailing list