[dns-operations] How .org name server handle large DNS response?

Mark Andrews marka at isc.org
Thu Dec 20 02:55:19 UTC 2018



> On 20 Dec 2018, at 10:40 am, Warren Kumari <warren at kumari.net> wrote:
> 
> 
> 
> On Wed, Dec 19, 2018 at 6:06 PM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> > On Dec 19, 2018, at 5:20 PM, Warren Kumari <warren at kumari.net> wrote:
> > 
> > So, what's going on here? Is this simply sample bias? Is the failover to TCP saving us? Or the predominance of v4? What's actually keping .org running (and I know that it *is* running :-))
> 
> The answers that are not the zone apex DNSKEY RRs, are presumably
> signed with just the ZSK, and so don't breach the 1280 byte ceiling.
> 
> Sure, but to validate www.ietf.org I need to fetch the zone apex DNSKEY RR at some point, don't I?
> Yes, the signed ns set and ds set in .org are both small, but they are not useful if I cannot get the org dnskey itself. 

And recursive servers have dealt with the issue to 20+ years by adjusting the EDNS buffer size to a value that works for the server it is talking to.  It’s slow at time but it works.  People fix the firewall or tune the nameserver to speed things up.  This has been happening basically since EDNS was first deployed because there were firewall that block UDP responses greater than 512 bytes and we encountered them very early on.

> The resolvers that are doing DNSSEC validation and thus request the
> DNSKEY RRset, are likely predominantly not behind broken home CPE
> routers and the like, and/or fail over to IPv4.  So the actual
> impact may be low.
> 
> Yeah, that is what I was trying to say with sampling bias -- the people who run validating recursives may be "more able" than those who don't to get the packets?
> 
> 
> Mind you, I'd still look to avoid triple-signing the DNSKEY RRset.
> 
> Awww, where is your sense of adventure?
> W
> 
>  
> 
> -- 
>         Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
>    ---maf
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list