[dns-operations] latest bind, EDNS & TCP

Simon Munton Simon.Munton at cdns.net
Wed Nov 12 12:36:32 UTC 2014

Mark, I didn't see any reply to this; do you have anything to add?

Do you think this flawed assumption could be the cause of the surge in 
TCP queries we have been seeing?

>>   Most referrals even when signed will still fit in 512 bytes.
> For most TLDs, for most referrals, this is *not* the case.
> Most TLDs use NSEC3+OptOut and most registered zones within them don't
> sign, so an unsigned-referral proof is required.
> I'm seeing in the region of ~600 bytes (580 to 620), 583 was the
> smallest I could find (without trying /too/ hard)
> $ dig +norec +dnssec @a-dns.pl. far.pl
> There is also the very high level of NXDOMAINs that TLDs often see to be
> considered.

More information about the dns-operations mailing list