Re: [DNSOP] Computerworld apparently has changed DNS protocol

David Blacka <davidb@verisign.com> Wed, 04 November 2009 20:29 UTC

Return-Path: <davidb@verisign.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D275728C0CF for <dnsop@core3.amsl.com>; Wed, 4 Nov 2009 12:29:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvmciwbxQnll for <dnsop@core3.amsl.com>; Wed, 4 Nov 2009 12:29:55 -0800 (PST)
Received: from cliffie.verisignlabs.com (mail.verisignlabs.com [65.201.175.9]) by core3.amsl.com (Postfix) with ESMTP id E414728C0D9 for <dnsop@ietf.org>; Wed, 4 Nov 2009 12:29:54 -0800 (PST)
Received: from dul1mcdblacka-l2.vcorp.ad.vrsn.com (h87.s239.verisign.com [216.168.239.87]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by cliffie.verisignlabs.com (Postfix) with ESMTPSA id 82F5B1819B; Wed, 4 Nov 2009 15:30:15 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1076)
Content-Type: multipart/signed; boundary="Apple-Mail-4--113458827"; protocol="application/pkcs7-signature"; micalg="sha1"
From: David Blacka <davidb@verisign.com>
In-Reply-To: <088AD8CD-0245-4F5E-9159-ECF92E9D6B83@virtualized.org>
Date: Wed, 04 Nov 2009 15:30:15 -0500
Message-Id: <B67A73DC-8C2B-4B61-A043-96BB00E9A149@verisign.com>
References: <200911041858.TAA24009@TR-Sys.de> <FD44BF39-5B62-4689-AC6D-8DFFAF340EA1@icsi.berkeley.edu> <088AD8CD-0245-4F5E-9159-ECF92E9D6B83@virtualized.org>
To: David Conrad <drc@virtualized.org>
X-Mailer: Apple Mail (2.1076)
Cc: dnsop WG <dnsop@ietf.org>, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Computerworld apparently has changed DNS protocol
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2009 20:29:55 -0000

On Nov 4, 2009, at 3:02 PM, David Conrad wrote:

> [namedroppers dropped as this felt more operational to me]
>
> On Nov 4, 2009, at 11:09 AM, Nicholas Weaver wrote:
>> Question:  Have people been able to estimate how large the signed  
>> root zone response will be?
>
> Response to what?  Using the current IANA 'normal root servers'  
> testbed:
>
> % dig +bufsize=4096 +dnssec @root.iana.org . ns | grep rcvd
> ;; MSG SIZE  rcvd: 801
> % dig +bufsize=4096 +dnssec @root.iana.org . soa | grep rcvd
> ;; MSG SIZE  rcvd: 1016
> % dig +bufsize=4096 +dnssec @root.iana.org . rrsig | grep rcvd
> ;; MSG SIZE  rcvd: 2005
> % dig +bufsize=4096 +dnssec @root.iana.org x a | grep rcvd
> ;; MSG SIZE  rcvd: 639

I actually researched this, and need to spend some time cleaning up  
the report before posting it to this list.  But the bottom line is  
that yes, all responses save a few at the apex of root are below 1500b  
(actually, below 1100b).  The responses that are larger are ". rrsig"  
and ". any" (and ". dnskey" if minimal dnskey responses aren't used).   
". any" is the only one that would actually set TC if, say, the  
advertised buffer size were set to 1280.

--
David Blacka                          <davidb@verisign.com>
Sr. Engineer          VeriSign Platform Product Development