4 At KSK@2048, ZSK@1024, only the ./ANY and ARPA/ANY responses will
5 truncate (set the TC bit), and only ./RRSIG and ARPA responses will
6 change (but not set TC) with a max UDP size at 1400.
10 1) Use the "minimal-dnskey-response" behavior for the root
11 servers. This behavior is supported by RDNS 2.3.2 and NCDNS 1.1.1
12 (as well as BIND 9.6.x and NSD 3.2.3).
14 2) Cap our UDP responses sizes to 1472 (or optionally less, down to
15 1400). The results below will show that this is safe. In fact,
16 unless a user does a ./ANY or ./RRSIG (or similar query for arpa),
17 they won't be able to tell we are capping. This is supported by
18 RDNS 2.3.2 (via the "max_udp_size" option) and NCDNS 1.1.1 (via the
19 max_edns_response_size" PE config parameter).
23 * Created a testbed with a signed root with one 2048-bit KSK, one
24 1024-bit ZSK, a signed arpa with the same key sizes, and (for now)
25 an unsigned root-servers.net zone.
27 * BIND 9.6 was used as the authoritative server, so the
28 minimal-dnskey-response behavior was in effect.
30 * A python script was created using the dnspython package. This
33 1. Read the contents of the signed root zone file, and for every
34 name/type pair (except A/AAAA types for root and arpa):
36 1.1. Query for the name/type with EDNS0, DO=1, and BUFSIZE=4096
39 1.2. Record the resulting response size. This is the "full"
42 1.3. Find the "minimum no TC" size by parsing the response,
43 clearing the additional section, re-encoding into
44 compressed wire format, then recording the size. Because
45 of the way the dnspython dns.message class works, the OPT
46 record was perserved. Testing demonstrated that the size
47 did not change for responses that had no additional
48 section records other than OPT (e.g., NXDOMAIN responses).
50 1.4. Calculate the additional amount of space that would be
51 taken up if a maximum sized qname was given (essentially,
52 255 - len(qname)). Note that this only matters for
53 referrals and NXDOMAIN responses. Other responses require
56 2. For every unique name:
58 2.1. Query for the qname/ANY with EDNS0, DO=1, BUFSIZE=4096 via
59 UDP and record the resulting response size.
61 2.2. Query for "qname_/A". This was to elicit an NXDOMAIN
62 response from every NSEC gap. Record the resulting
65 2.3. Calculate the additional amount of space for a maximum
66 sized qname for the NXDOMAIN response.
68 3. For each query, output:
69 <full size><tab><min no tc size><tab><max qname diff><tab><qname/qtype>
71 4. Calculate histograms for referrals, nxdomains, and other
77 * "Maximum overall size" is the size of a response with the
78 additional records and with a 255-byte qname.
79 * "Full response size" is the size of the response with the additional
80 section (if any), but with the given qname.
82 Referral sizes (Maximum overall sizes):
83 range [522 - 1057] min: root-servers.net./NS, max: AERO/NS
94 NXDOMAIN sizes (Maximum overall sizes):
95 range [697 - 914] min: @_/A, max: XN--HGBK6AJ7F53BBA_/A
100 Other response sizes (Full response sizes):
101 range [105 - 1906] min: A.ROOT-SERVERS.NET./NSEC, max: @/ANY
118 The six responses over 1500 are variations of apex RRSIG and ANY
123 1549 1189 249 ARPA/RRSIG
124 1549 1189 249 ARPA./RRSIG
125 1561 1157 254 @/RRSIG
126 1899 1539 249 ARPA/ANY
127 1899 1539 249 ARPA./ANY
130 Note that the duplicate arpa queries exist because of the arpa entry
131 in both the root zone and the arpa zone.
133 The RRSIG responses will shrink to 1189 or 1157 bytes before setting
134 TC, but the ANY responses will always set TC.