[dns-operations] How .org name server handle large DNS response?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Dec 19 09:33:13 UTC 2018
On Wed, Dec 19, 2018 at 05:09:44PM +0800, Davey Song(宋林健) wrote:
> I’m curious on how .org authoritative server handle large DNS response ? Is
> there any notable impact of IPv6 fragment issues on .org servers?
>
> I ask .org because .org generates large DNS response (1625 octets) when you
> dig dnskey org. +dnssec, which makes the issue more common.
>
> Is there Afilias people in the mailing list? Did you ever consider ATR
> (draft-song-atr-large-resp) for the issue? We need a talk.
Rather than ATR, I'd recommend:
1. Eliminate unnecessary DNSKEY RRSIGs, one (just by the active KSK)
is enough (c.f. .com), but .org sends three, two KSK signatures and
even one ZSK signature. Perhaps there's a good reason for this, but
it would be good to find a more svelte design.
2. Switch to algorithm 13, ECDSA with P-256
--
Viktor.
More information about the dns-operations
mailing list