[dns-operations] signing a zone with NSEC3 records.

David Blacka davidb at verisign.com
Thu Sep 10 13:31:15 UTC 2009

On Sep 10, 2009, at 9:24 AM, bert hubert wrote:

> On Thu, Sep 10, 2009 at 3:17 PM, David Blacka <davidb at verisign.com>  
> wrote:
>> That isn't what I've seen.  Well, the NXDOMAIN *are* bigger, sure,  
>> but not
>> so big as to fragment.  For the zones the I'm working on, the  
>> about 1000 bytes, well below most path MTUs.
>> So either you are using much larger ZSKs, are thinking that the  
>> path MTUs
>> are much smaller than I do, or are exaggerating for effect.
> David,
> I'm a bit worried that you think I'd be exaggerating for effect. I'm
> basing the above on:
> $ dig  nosuchdomain.gov +dnssec @c.usadotgov.net
> Which weighs in at 1513 bytes of payload, and two fragments.

A counter-example:

$ dig notexstingdomain.org +dnssec @a0.org.afilias-nst.info.

Which weighs in at 1006 bytes of payload, an no fragments.

.gov uses giant ZSKs.  I suggest that .gov is quite the exception when  
it comes to signed zones.

David Blacka                          <davidb at verisign.com>
Sr. Engineer          VeriSign Platform Product Development

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090910/1d93d417/attachment.bin>

More information about the dns-operations mailing list