----- Original Message ----- From: "Nicholas Weaver" <nwea...@icsi.berkeley.edu> To: "Matt Larson" <mlar...@verisign.com> Cc: <dnsop@ietf.org>; "Nicholas Weaver" <nwea...@icsi.berkeley.edu> Sent: Tuesday, March 09, 2010 3:31 PM Subject: Re: [DNSOP] Should root-servers.net be signed
> > On Mar 9, 2010, at 7:17 AM, Matt Larson wrote: > >> On Mon, 08 Mar 2010, George Barwood wrote: >>> It's interesting to note that currently >>> >>> dig any . @a.root-servers.net +dnssec >>> >>> truncates, leading to TCP fallback >>> >>> but >>> >>> dig any . @l.root-servers.net +dnssec >>> >>> does not truncate ( response size is 1906 bytes ). >> >> a.root-servers.net's six anycast instances currently all run BIND 9 >> configured with "max-udp-size 1472" to avoid sending responses larger >> than the Ethernet MTU. This was a conscious conservative choice and >> the infrastructure is capable of handling the resulting increased TCP >> load. > > I'd set it at 1450 personally, because you do have some encapulation over > ethernets (eg, PPPoE, IPSEC) which occur, so if the goal is "almost > guarenteed no fragments", you need to leave a little additional headroom. +1 > But given the current observed difficulty that resolvers have with fragments, > this is, IMO, a very good decision. +1 I suggest the default value in BIND for max-udp-size should be 1450. This appears to be best practice. Since few zones are currently signed, it's not too late to make this change. Later on it may be more difficult. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
