[dns-operations] latest bind, EDNS & TCP

Simon Munton Simon.Munton at cdns.net
Wed Nov 12 12:36:32 UTC 2014


Mark, I didn't see any reply to this; do you have anything to add?

Do you think this flawed assumption could be the cause of the surge in 
TCP queries we have been seeing?


>>   Most referrals even when signed will still fit in 512 bytes.
>
> For most TLDs, for most referrals, this is *not* the case.
>
> Most TLDs use NSEC3+OptOut and most registered zones within them don't
> sign, so an unsigned-referral proof is required.
>
> I'm seeing in the region of ~600 bytes (580 to 620), 583 was the
> smallest I could find (without trying /too/ hard)
>
> $ dig +norec +dnssec @a-dns.pl. far.pl
>
>
> There is also the very high level of NXDOMAINs that TLDs often see to be
> considered.



More information about the dns-operations mailing list