I was in the process of setting up a test server with DNSSEC signed domains, and asking users to point at the test server to see if the larger packets affected their application, when I realized I might be wrong. DNS Resolvers will get bigger responses from DNS Authoritative servers because of DNSSEC signatures. But clients, running stub resolvers, will likely set the +AD flag and expect the DNS Resolver to validate, but the client will get a response that does not include any DNSSEC records. Is that correct?
So I only need to worry about increased packet sizes between DNS Resolvers and DNS Authoritative servers? (Granted, the actual answer size to the client could be large enough to cause fall-back to TCP, but that is not because of DNSSEC.) -- Bob Harold
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
