[dns-operations] For darpa.mil, EDNS buffer == 1232 is *too small*. :-(

Paul Vixie paul at redbarn.org
Fri May 1 07:02:21 UTC 2020

they will have to be troubled. perhaps we can notify them first. that config is not sustainable.

⁣Get BlueMail for Android ​

On 30 Apr 2020, 23:38, at 23:38, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>On Sun, Apr 19, 2020 at 12:39:24AM -0400, Viktor Dukhovni wrote:
>> The DANE survey unbound resolver is presently configured to advertise
>> EDNS UDP buffer size of 1232 bytes (to avoid UDP fragmentation
>> over IPv6).  With this buffer size (or indeed any buffer size below
>> bytes) and the DO bit set to solicit DNSSEC signatures, queries for
>> darpa.mil MX host TLSA records fail:
>FWIW, with ofda.gov even 1410 is not enough, EDNS buffer sizes less
>1555 (requiring working fragmentation) elicit a TC=1 response, but TCP
>is not available.
>dig +bufsize=1554 +dnssec +norecur @$ip -t tlsa
>dig +bufsize=1555 +dnssec +norecur @$ip -t tlsa
>    Viktor.
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200501/600558c6/attachment.html>

More information about the dns-operations mailing list