Re: [DNSOP] Should root-servers.net be signed

"George Barwood" <george.barwood@blueyonder.co.uk> Fri, 19 March 2010 07:21 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34CE03A68AD for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 00:21:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.742
X-Spam-Level: ***
X-Spam-Status: No, score=3.742 tagged_above=-999 required=5 tests=[AWL=-0.583, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXLpd4-C8zaw for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 00:21:31 -0700 (PDT)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by core3.amsl.com (Postfix) with ESMTP id 2E9163A683F for <dnsop@ietf.org>; Fri, 19 Mar 2010 00:21:26 -0700 (PDT)
Received: from [172.23.170.139] (helo=anti-virus01-10) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1NsWWT-0005Ar-KB; Fri, 19 Mar 2010 07:21:34 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out5.blueyonder.co.uk with esmtpa (Exim 4.52) id 1NsWWS-0006RV-Ny; Fri, 19 Mar 2010 07:21:32 +0000
Message-ID: <183BEF785A9844F186558A87848A6698@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, Matt Larson <mlarson@verisign.com>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost><0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca><alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk><A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca><43FC3F50679F458A869F99D72ECD1237@localhost><20100309151726.GC5108@dul1mcmlarson-l1-2.local> <6C56581E-D4F4-4A49-A3B4-CB7F1CF42E29@icsi.berkeley.edu>
Date: Fri, 19 Mar 2010 07:21:27 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Cc: dnsop@ietf.org, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 07:21:33 -0000

----- Original Message ----- 
From: "Nicholas Weaver" <nweaver@ICSI.Berkeley.EDU>
To: "Matt Larson" <mlarson@verisign.com>
Cc: <dnsop@ietf.org>; "Nicholas Weaver" <nweaver@ICSI.Berkeley.EDU>
Sent: Tuesday, March 09, 2010 3:31 PM
Subject: Re: [DNSOP] Should root-servers.net be signed


> 
> On Mar 9, 2010, at 7:17 AM, Matt Larson wrote:
> 
>> On Mon, 08 Mar 2010, George Barwood wrote:
>>> It's interesting to note that currently
>>> 
>>> dig any . @a.root-servers.net +dnssec
>>> 
>>> truncates, leading to TCP fallback
>>> 
>>> but
>>> 
>>> dig any . @l.root-servers.net +dnssec
>>> 
>>> does not truncate ( response size is 1906 bytes ).
>> 
>> a.root-servers.net's six anycast instances currently all run BIND 9
>> configured with "max-udp-size 1472" to avoid sending responses larger
>> than the Ethernet MTU.  This was a conscious conservative choice and
>> the infrastructure is capable of handling the resulting increased TCP
>> load.
> 
> I'd set it at 1450 personally, because you do have some encapulation over ethernets (eg, PPPoE, IPSEC) which occur, so if the goal is "almost guarenteed no fragments", you need to leave a little additional headroom.

+1

> But given the current observed difficulty that resolvers have with fragments, this is, IMO, a very good decision.

+1

I suggest the default value in BIND for max-udp-size should be 1450.
This appears to be best practice.
Since few zones are currently signed, it's not too late to make this change.
Later on it may be more difficult.