Re: [DNSOP] On resolver priming
"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Fri, 12 November 2010 15:46 UTC
Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 031853A696A for <dnsop@core3.amsl.com>; Fri, 12 Nov 2010 07:46:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkSrUvXDjOxw for <dnsop@core3.amsl.com>; Fri, 12 Nov 2010 07:46:31 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 0C02A3A6953 for <dnsop@ietf.org>; Fri, 12 Nov 2010 07:46:21 -0800 (PST)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id oACFklnD051530 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Fri, 12 Nov 2010 16:46:48 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4CDD6167.4000209@nlnetlabs.nl>
Date: Fri, 12 Nov 2010 16:46:47 +0100
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Fedora/3.1.6-1.fc13 Lightning/1.0b3pre Thunderbird/3.1.6
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20101111100350.GA1997@shinkuro.com> <20101111184914.GA12031@DUL1MLARSON-M1.labs.vrsn.com>
In-Reply-To: <20101111184914.GA12031@DUL1MLARSON-M1.labs.vrsn.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 12 Nov 2010 16:46:48 +0100 (CET)
Subject: Re: [DNSOP] On resolver priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2010 15:46:40 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On 11/11/2010 07:49 PM, Matt Larson wrote: > On Thu, 11 Nov 2010, Andrew Sullivan wrote: >> argument by just signing the data. > > That's simply the conservative, operationally prudent course of > action. I suspect there is cause to be conservative. Thus, I have performed a test with BIND 9.7.1 and NSD 3.2.6, signing root-servers.net (test RSASHA256 2048 ksk and 1024 zsk). And checked the response sizes for the prime query and a query to a.root-servers.net. These results: . NS (BIND): 4525 . NS (NSD): 829 (unchanged from today) a.root-servers.net A (BIND): 4557 a.root-servers.net A (NSD): 4575 The difference for a.root-servers.net is because of compression implementation, and on UDP most likely would be cut off at 40xx. The prime response from BIND includes the RRSIGs over the root server A and AAAA records (at 164 bytes data each, 21 times). This is of course a very quick test, and details would need a serious investigation. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzdYWcACgkQkDLqNwOhpPg8PwCfbPOCTN3UpL6Pn0qRjMAwsIM6 GEgAoJa8FWcscolFwKbxuA81S09Aduk+ =lK1P -----END PGP SIGNATURE-----
- [DNSOP] On resolver priming Andrew Sullivan
- Re: [DNSOP] On resolver priming Frederico A C Neves
- Re: [DNSOP] On resolver priming Joao Damas
- Re: [DNSOP] On resolver priming Tony Finch
- Re: [DNSOP] On resolver priming Matt Larson
- Re: [DNSOP] On resolver priming bmanning
- Re: [DNSOP] On resolver priming Griffiths, Chris
- Re: [DNSOP] On resolver priming Paul Hoffman
- Re: [DNSOP] On resolver priming Mark Andrews
- Re: [DNSOP] On resolver priming W.C.A. Wijngaards
- Re: [DNSOP] On resolver priming David Conrad
- Re: [DNSOP] On resolver priming Paul Hoffman
- Re: [DNSOP] On resolver priming Joao Damas
- Re: [DNSOP] On resolver priming Paul Hoffman
- Re: [DNSOP] On resolver priming Florian Weimer