[root_zone_test.git] / zone_results / root_overall_response_size_results.txt

I have some preliminary results from my root response size research.

Executive Summary:

   At KSK@2048, ZSK@1024, only the ./ANY response will truncate (set
   the TC bit), and only ./RRSIG response will change (but not set TC)
   with a max UDP size at 1400.

   Capping our UDP response size is quite safe, and most users will
   not be able to tell that we are doing it.

Methodology:

  * Created a testbed with a signed root with one 2048-bit KSK, one
    1024-bit ZSK, and (for now) an unsigned root-servers.net zone.

  * BIND 9.6 was used as the authoritative server (so the
    minimal-dnskey-response behavior was in effect).

  * A python script was created using the dnspython package.  This
    script would:

    1. Read the contents of the signed root zone file, and for every
    name/type pair (except A/AAAA):

       1.1. Query for the name/type with EDNS0, DO=1, BUFSIZE=4096 via
            UDP

       1.2. Record the resulting response size.

       1.3. Find the "minimum no TC" size by parsing the response,
            clearing the additional section, re-encoding into
            compressed wire format, then recording the size.  Because
            of the way the dnspython dns.message class works, the OPT
            record was perserved.

       1.4. Calculate the additional amount of space that would be
            taken up if a maximum sized qname was given (essentially,
            255 - len(qname)).  Note that this only matters for
            referrals and NXDOMAIN responses.  Other responses require
            an exact qname match.

    2. For every unique name:

        2.1. Query for the qname/ANY with EDNS0, DO=1, BUFSIZE=4096 via
             UDP and record the resulting response size.

        2.2. Query for "qname_/A". This was to elicit an NXDOMAIN
             response from every NSEC gap.  Record the resulting
             response size.

        2.3. Calculate the additional amount of space for a maximum
             sized qname for the NXDOMAIN response.

    3. For each query, output:
       <full size><tab><min no tc size><tab><max qname diff><tab><qname/qtype>
    
    4. Calculate histograms for referrals, nxdomains, and other
       responses and output.


Results:

* "Maximum truncation size" is basically the size of a response without
  the additional records, but with a 255-byte qname.  Note that
  NXDOMAIN responses don't have additional section records.
* "Maximum overall size" is the size of a response *with* the
  additional records and with a 255-byte qname.
* "Full response size" is the size of the response with the additional
  section (if any), but with the given qname.

Referral sizes (Maximum truncation sizes):
range [501 - 717] min: NF/NS, max: AN/NS
[448 - 511] : 7
[512 - 575] : 98
[576 - 639] : 128
[640 - 703] : 45
[704 - 767] : 3

Referral sizes (Maximum overall sizes):
range [533 - 1057] min: NF/NS, max: AERO/NS
[512 - 575] : 16
[576 - 639] : 59
[640 - 703] : 55
[704 - 767] : 60
[768 - 831] : 26
[832 - 895] : 42
[896 - 959] : 14
[960 - 1023] : 6
[1024 - 1087] : 3

NXDOMAIN sizes (Maximum truncation sizes):
range [697 - 914] min: @_/A, max: XN--HGBK6AJ7F53BBA_/A
[640 - 703] : 1
[832 - 895] : 270
[896 - 959] : 10

Other response sizes (Full response sizes):
range [282 - 1906] min: NF/ANY, max: @/ANY
[256 - 319] : 32
[320 - 383] : 112
[384 - 447] : 106
[448 - 511] : 122
[512 - 575] : 60
[576 - 639] : 82
[640 - 703] : 28
[704 - 767] : 15
[768 - 831] : 4
[960 - 1023] : 282
[1536 - 1599] : 1
[1856 - 1919] : 1

The two responses over 1500 are ./RRSIG and ./ANY:

full    min     qname   label
---     ---     -----   -----
1561    1157    254     @/RRSIG
1906    1502    254     @/ANY

The ./RRSIG response will shrink to 1157 bytes before setting TC, but the
./ANY response will always set TC.