[dns-operations] wrapup of fragmentation/do/tcp discussion requested

Peter Koch pk at DENIC.DE
Mon Jun 22 10:29:00 UTC 2009

[I believe this discussion should better take place on an IETF list.]

On Mon, Jun 22, 2009 at 10:11:05AM +1000, Mark Andrews wrote:

> 	3.  Some answer are less that 512 bytes in size.

For an NSEC3 signed zone, very few responses will be smaller than 512 octets.
A referral is increased by 484 octets (2 * NSEC3/RRSIG(*)) and an NXDOMAIN
response by roughly 890 octets (3*(NSEC3+RRSIG) + RRSIG(SOA)).
Signed referrals are smaller, indeed, but there won't be too many in the
beginning, at least.  Authoritative positive responses might also fit, but most
TLDs are delegation centric zones and have little to contribute here.
That means, at least for an NSEC3 signed zone, DO=1 at 512 is _asking_ for TC.


(*) assuming a 1024 bit ZSK

More information about the dns-operations mailing list