On Wed, Aug 20, 2008 at 04:06:05PM -0700, David Conrad wrote:
- if the advertised EDNS0 buffer size is not large enough, it will
trigger truncation and, as a result, an increase in the number of TCP
sessions going to the root.
assumed that it's reasonable to focus on referrals and NXDOMAIN responses
only, we'd usually see a DS and RRSIG(DS) or an NSEC plus RRSIG(NSEC) for
the former and two NSECs plus two RRSIG(NSEC) for the latter.
As per RFC 3226 (or 4035, section 6), the resolver sending DO is expected
to support at least 1220 octet responses.
Hard data on the advertized sizes for both DO and EDNS, but not DO would
be helpful.
- if the advertised EDNS0 buffer size is large enough, but the network
MTU is too small, fragmentation will occur which may cause the
response to be dropped (for a variety of reasons).
Since, as Mark has pointed out, EDNS is used in many queries today, resulting
in referral responses larger than 512, this problem should have been faced
even without DNSSEC (or DO inparticular) involved. Again, measurement data
showing the response size distributions for root name servers would be helpful.
- if there are middle boxes in the way that do stupid things (e.g.,
disallow DNS over TCP), those middle boxes will likely drop the larger
responses.
Much of this has already been initiated by resolvers using EDNS (with sizes
512 octets) and either large referrals or RRs in priming responses.
The remaining risk is that DNSSEC responses would increase the size above
some critical value that doesn't regularily appear today.
The concern I see (that I had hoped would be avoided by DO being set
to 1 only when the caching server administrator had explicitly
configured DNSSEC awareness) is that folks who are blissfully unaware
DO can only signal from the resolver to the server, but for responses to
reach the resolver, anything in the way must also leave larger packets
alone.
One other issue around DO is that it was introduced to signal understanding
of DNSSEC as per RFC 2535. The reaction of hypothetical 2535 only
resolvers to DNSSECbis responses is to be explored. I vaguely remember that
we've had this discussion of versioning the DO bit.
-Peter
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop