1) Use the "minimal-dnskey-response" behavior for the root
servers. This behavior is supported by RDNS 2.3.2 and NCDNS 1.1.1
- (as well as BIND 9.6 and NSD 3.2.3).
+ (as well as BIND 9.6.x and NSD 3.2.3).
2) Cap our UDP responses sizes to 1472 (or optionally less, down to
1400). The results below will show that this is safe. In fact,
1024-bit ZSK, a signed arpa with the same key sizes, and (for now)
an unsigned root-servers.net zone.
- * BIND 9.6 was used as the authoritative server (so the
- minimal-dnskey-response behavior was in effect).
+ * BIND 9.6 was used as the authoritative server, so the
+ minimal-dnskey-response behavior was in effect.
* A python script was created using the dnspython package. This
script would:
1. Read the contents of the signed root zone file, and for every
name/type pair (except A/AAAA types for root and arpa):
- 1.1. Query for the name/type with EDNS0, DO=1, BUFSIZE=4096 via
- UDP
+ 1.1. Query for the name/type with EDNS0, DO=1, and BUFSIZE=4096
+ via UDP.
- 1.2. Record the resulting response size.
+ 1.2. Record the resulting response size. This is the "full"
+ response size.
1.3. Find the "minimum no TC" size by parsing the response,
clearing the additional section, re-encoding into
compressed wire format, then recording the size. Because
of the way the dnspython dns.message class works, the OPT
- record was perserved.
+ record was perserved. Testing demonstrated that the size
+ did not change for responses that had no additional
+ section records other than OPT (e.g., NXDOMAIN responses).
1.4. Calculate the additional amount of space that would be
taken up if a maximum sized qname was given (essentially,
Results:
-* "Maximum overall size" is the size of a response *with* the
+* "Maximum overall size" is the size of a response with the
additional records and with a 255-byte qname.
* "Full response size" is the size of the response with the additional
section (if any), but with the given qname.
Note that the duplicate arpa queries exist because of the arpa entry
in both the root zone and the arpa zone.
-The RRSIG responsed will shrink to 1189 or 1157 bytes before setting
+The RRSIG responses will shrink to 1189 or 1157 bytes before setting
TC, but the ANY responses will always set TC.
-