[dns-operations] How .org name server handle large DNS response?

Warren Kumari warren at kumari.net
Wed Dec 19 23:40:41 UTC 2018

On Wed, Dec 19, 2018 at 6:06 PM Viktor Dukhovni <ietf-dane at dukhovni.org>

> > On Dec 19, 2018, at 5:20 PM, Warren Kumari <warren at kumari.net> wrote:
> >
> > So, what's going on here? Is this simply sample bias? Is the failover to
> TCP saving us? Or the predominance of v4? What's actually keping .org
> running (and I know that it *is* running :-))
> The answers that are not the zone apex DNSKEY RRs, are presumably
> signed with just the ZSK, and so don't breach the 1280 byte ceiling.

Sure, but to validate www.ietf.org I need to fetch the zone apex DNSKEY RR
at some point, don't I?
Yes, the signed ns set and ds set in .org are both small, but they are not
useful if I cannot get the org dnskey itself.

> The resolvers that are doing DNSSEC validation and thus request the
> DNSKEY RRset, are likely predominantly not behind broken home CPE
> routers and the like, and/or fail over to IPv4.  So the actual
> impact may be low.

Yeah, that is what I was trying to say with sampling bias -- the people who
run validating recursives may be "more able" than those who don't to get
the packets?

> Mind you, I'd still look to avoid triple-signing the DNSKEY RRset.

Awww, where is your sense of adventure?

> --
>         Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20181219/ff97e1af/attachment.html>

More information about the dns-operations mailing list