In message <43fc3f50679f458a869f99d72ecd1...@localhost>, "George Barwood" write s: > > > > ----- Original Message ----- > From: "Joe Abley" <jab...@hopcount.ca> > To: "Tony Finch" <d...@dotat.at> > Cc: "George Barwood" <george.barw...@blueyonder.co.uk>; <dnsop@ietf.org> > Sent: Monday, March 08, 2010 4:22 PM > Subject: Re: [DNSOP] Should root-servers.net be signed > > > > >On 2010-03-08, at 11:18, Tony Finch wrote: > > >> On Mon, 8 Mar 2010, Joe Abley wrote: > >>> > >> > >>> - signing ROOT-SERVERS.NET would result in potentially-harmful large > >>> responses with no increase in security > >> > >> Can't you deal with this by omitting the root-servers.net RRSIGs from the > >> additional section of responses to queries to the root? > > > Are you suggesting that we implement a coordinated code change to all root > servers in the name of security or stability? > > > Diversity in operation and code base is usually thought to be a strength of > the root server system. > > It's interesting to note that currently > > dig any . @a.root-servers.net +dnssec > > truncates, leading to TCP fallback > > but > > dig any . @l.root-servers.net +dnssec > > does not truncate ( response size is 1906 bytes ). > > George
A.ROOT-SERVERS.NET would appeared to be configured to not send DNS responses that will result in fragmentation leading to a artificially higher TCP load. For named max-udp-size is what controls this. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
