[dns-operations] How .org name server handle large DNS response?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Dec 19 22:59:41 UTC 2018


> On Dec 19, 2018, at 5:20 PM, Warren Kumari <warren at kumari.net> wrote:
> 
> So, what's going on here? Is this simply sample bias? Is the failover to TCP saving us? Or the predominance of v4? What's actually keping .org running (and I know that it *is* running :-))

The answers that are not the zone apex DNSKEY RRs, are presumably
signed with just the ZSK, and so don't breach the 1280 byte ceiling.

The resolvers that are doing DNSSEC validation and thus request the
DNSKEY RRset, are likely predominantly not behind broken home CPE
routers and the like, and/or fail over to IPv4.  So the actual
impact may be low.

Mind you, I'd still look to avoid triple-signing the DNSKEY RRset.

-- 
	Viktor.




More information about the dns-operations mailing list