[dnssec-deployment] DNSSEC in Russia
Mark_Andrews at isc.org
Thu Apr 2 16:51:38 EDT 2009
In message <list-17545150 at execdsl.com>, Lutz Donnerhacke writes:
> Every EDNS0 enabled UDP response from a root server should not get
> fragmented on the way through the net nor needs to generate multiple packets
> on the root server itself. That's why the limit of the IP packet size is
> about 1400 byte payload. This limit correspond to a single KSK and a single
> ZSK which is rolled regularly. If somebody want's to add another algorithm,
> the full size doubles. I believe such sizes to be too risky for a productive
> signed root.
Please cite the relevent RFC that recommend this limit.
If you don't want fragmentation then you need to push it
back to under 1200 as that is the what IPv6 responses will
be fragemented to. Nameservers shouldn't be attemting PMTU
discover on UDP responses.
In reality the DNS can cope quite well with fragmented UDP
and the occasional lost fragment.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment