[dns-operations] signing a zone with NSEC3 records.
davidb at verisign.com
Thu Sep 10 13:31:15 UTC 2009
On Sep 10, 2009, at 9:24 AM, bert hubert wrote:
> On Thu, Sep 10, 2009 at 3:17 PM, David Blacka <davidb at verisign.com>
>> That isn't what I've seen. Well, the NXDOMAIN *are* bigger, sure,
>> but not
>> so big as to fragment. For the zones the I'm working on, the
>> NXDOMAIN is
>> about 1000 bytes, well below most path MTUs.
>> So either you are using much larger ZSKs, are thinking that the
>> path MTUs
>> are much smaller than I do, or are exaggerating for effect.
> I'm a bit worried that you think I'd be exaggerating for effect. I'm
> basing the above on:
> $ dig nosuchdomain.gov +dnssec @c.usadotgov.net
> Which weighs in at 1513 bytes of payload, and two fragments.
$ dig notexstingdomain.org +dnssec @a0.org.afilias-nst.info.
Which weighs in at 1006 bytes of payload, an no fragments.
.gov uses giant ZSKs. I suggest that .gov is quite the exception when
it comes to signed zones.
David Blacka <davidb at verisign.com>
Sr. Engineer VeriSign Platform Product Development
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4272 bytes
Desc: not available
More information about the dns-operations