Re: [DNSOP] Should root-servers.net be signed

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Fri, 19 March 2010 19:48 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB9303A693A for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 12:48:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.536
X-Spam-Level:
X-Spam-Status: No, score=-5.536 tagged_above=-999 required=5 tests=[AWL=-0.067, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MO8Rxsma1DoX for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 12:48:13 -0700 (PDT)
Received: from fruitcake.ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU [192.150.186.11]) by core3.amsl.com (Postfix) with ESMTP id 6FD443A6922 for <dnsop@ietf.org>; Fri, 19 Mar 2010 12:48:13 -0700 (PDT)
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id o2JJmObj012275; Fri, 19 Mar 2010 12:48:24 -0700 (PDT)
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost><0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca><alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk><A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca><43FC3F50679F458A869F99D72ECD1237@localhost><20100309151726.GC5108@dul1mcmlarson-l1-2.local> <6C56581E-D4F4-4A49-A3B4-CB7F1CF42E29@icsi.berkeley.edu> <183BEF785A9844F186558A87848A6698@localhost> <061F30F4-E0EE-40E6-A54D-246D9E9A9D77@ICSI.Berkeley.EDU> <6D6F580F8CFB4DB5AB32566FB608088D@localhost> <57BC5F21-B1EE-4D06-BB1B-3DC8582D0D87@ICSI.Berkeley.EDU> <03CF4A3B5B374C4C858DEEB2D66C0702@localhost> <AA116C2A-CCFC-4177-A43A-B3AA066B3C3C@ICSI.Berkeley.EDU> <7F872C0CAA544F9480BF49438AAFA3BF@localhost> <68584293-648A-4F4E-8731-785E8F4D38B7@ICSI.Berkeley.EDU> <662061674DB34DB395F519F52B0C4C35@localhost>
In-Reply-To: <662061674DB34DB395F519F52B0C4C35@localhost>
Mime-Version: 1.0 (Apple Message framework v1077)
X-Priority: 3
Content-Type: text/plain; charset="us-ascii"
Message-Id: <9B17C765-036B-40BD-B05A-E1A3E4582D91@ICSI.Berkeley.EDU>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Fri, 19 Mar 2010 12:48:24 -0700
To: George Barwood <george.barwood@blueyonder.co.uk>
X-Mailer: Apple Mail (2.1077)
Cc: dnsop@ietf.org, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 19:48:14 -0000

On Mar 19, 2010, at 12:01 PM, George Barwood wrote:
> 
> Anyway, do we yet agree that 1450 is the best default for max-udp-size, and that higher values are dangerous?\

No:  I agree it is the proper default for the TLD authorities and roots, but for everything else, the higher value should be what the resolver requests.

Enshrining "tho shalt never fragment" into the Internet Architecture is dangerous, and will cause far MORE problems. Having something which regularly exercises fragmentation as critical to the infrastructure and we wouldn't have this problem where 10% of the resolvers are broken WRT fragmentation.