[dns-operations] signing a zone with NSEC3 records.
bert hubert
bert.hubert at netherlabs.nl
Thu Sep 10 13:24:48 UTC 2009
On Thu, Sep 10, 2009 at 3:17 PM, David Blacka <davidb at verisign.com> wrote:
> That isn't what I've seen. Well, the NXDOMAIN *are* bigger, sure, but not
> so big as to fragment. For the zones the I'm working on, the NXDOMAIN is
> about 1000 bytes, well below most path MTUs.
>
> So either you are using much larger ZSKs, are thinking that the path MTUs
> are much smaller than I do, or are exaggerating for effect.
David,
I'm a bit worried that you think I'd be exaggerating for effect. I'm
basing the above on:
$ dig nosuchdomain.gov +dnssec @c.usadotgov.net
Which weighs in at 1513 bytes of payload, and two fragments.
Bert
More information about the dns-operations
mailing list