[dns-operations] latest bind, EDNS & TCP
Simon Munton
Simon.Munton at cdns.net
Mon Oct 13 08:55:07 UTC 2014
> Switching to TCP is quicker
I think this is a very short term view.
From the packet trace I posted, you just have to look at the sheer
number of packets, that running the same query over TCP causes, to have
an idea of extra load this is going to put on TLD Name Servers if all
resolvers start falling back to TCP at the drop of a hat.
Not to mention the fact that it means EVERY query is issued twice to the
same name server. Even if the resolver ignores the answer, the workload
on the name server is the same.
> Most referrals even when signed will still fit in 512 bytes.
For most TLDs, for most referrals, this is *not* the case.
Most TLDs use NSEC3+OptOut and most registered zones within them don't
sign, so an unsigned-referral proof is required.
I'm seeing in the region of ~600 bytes (580 to 620), 583 was the
smallest I could find (without trying /too/ hard)
$ dig +norec +dnssec @a-dns.pl. far.pl
There is also the very high level of NXDOMAINs that TLDs often see to be
considered.
More information about the dns-operations
mailing list