[dns-operations] signing a zone with NSEC3 records.
David Blacka
davidb at verisign.com
Thu Sep 10 13:31:15 UTC 2009
On Sep 10, 2009, at 9:24 AM, bert hubert wrote:
> On Thu, Sep 10, 2009 at 3:17 PM, David Blacka <davidb at verisign.com>
> wrote:
>> That isn't what I've seen. Well, the NXDOMAIN *are* bigger, sure,
>> but not
>> so big as to fragment. For the zones the I'm working on, the
>> NXDOMAIN is
>> about 1000 bytes, well below most path MTUs.
>>
>> So either you are using much larger ZSKs, are thinking that the
>> path MTUs
>> are much smaller than I do, or are exaggerating for effect.
>
> David,
>
> I'm a bit worried that you think I'd be exaggerating for effect. I'm
> basing the above on:
>
> $ dig nosuchdomain.gov +dnssec @c.usadotgov.net
>
> Which weighs in at 1513 bytes of payload, and two fragments.
A counter-example:
$ dig notexstingdomain.org +dnssec @a0.org.afilias-nst.info.
Which weighs in at 1006 bytes of payload, an no fragments.
.gov uses giant ZSKs. I suggest that .gov is quite the exception when
it comes to signed zones.
--
David Blacka <davidb at verisign.com>
Sr. Engineer VeriSign Platform Product Development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090910/1d93d417/attachment.bin>
More information about the dns-operations
mailing list