On Mon, Jul 28, 2014 at 10:05 AM, David Conrad <d...@virtualized.org> wrote:
> Hi, > > On Jul 28, 2014, at 5:48 AM, Nicholas Weaver <nwea...@icsi.berkeley.edu> > wrote: > > The IPv6 net has decreed “No, really, FRAGMENTS DO NOT WORK”. > > This could be a bit of an issue when the DNSSEC root key is rolled. Could > someone point me to a writeup and/or data as to how we know the above > decree? (I'm not disagreeing, I just haven't really been following this for > a while). > > As one data point, the current top DNSKEY response sizes for TLDs (all using UDP) are: xn--fiq228c5hs. 1669 xn--6frz82g. 1657 xn--3ds443g. 1657 rich. 1629 post. 1629 pink. 1629 info. 1629 blue. 1629 asia. 1629 red. 1625 org. 1625 onl. 1625 kim. 1625 sc. 1621 pr. 1621 mn. 1621 me. 1621 lc. 1621 in. 1621 gi. 1621 bz. 1621 ag. 1621 bg. 1567 xn--fiqz9s. 1505 xn--fiqs8s. 1505 am. 1479 cn. 1473 dk. 1459 All of the above result in IPv6 fragmentation, and nearly all also result in IPv4 fragmentation---both assuming a 1500-byte PMTU and a resolver using an EDNS UDP payload value sufficient to hold the entire payload. This list has changed over time, through key rollovers and such. Has there been empirical or anecdotal evidence to suggest that DNSSEC validation has been broken for these TLDs for some population? I'm not suggesting that fragmentation is pretty, and I'm quite aware of path problems with fragmentation (some of them having been worked around by resolver implementations and configurations, as Tony indicated). Casey
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop