[dns-operations] signing a zone with NSEC3 records.

bert hubert bert.hubert at netherlabs.nl
Thu Sep 10 13:24:48 UTC 2009

On Thu, Sep 10, 2009 at 3:17 PM, David Blacka <davidb at verisign.com> wrote:
> That isn't what I've seen.  Well, the NXDOMAIN *are* bigger, sure, but not
> so big as to fragment.  For the zones the I'm working on, the NXDOMAIN is
> about 1000 bytes, well below most path MTUs.
> So either you are using much larger ZSKs, are thinking that the path MTUs
> are much smaller than I do, or are exaggerating for effect.


I'm a bit worried that you think I'd be exaggerating for effect. I'm
basing the above on:

$ dig  nosuchdomain.gov +dnssec @c.usadotgov.net

Which weighs in at 1513 bytes of payload, and two fragments.


More information about the dns-operations mailing list