1 I have some preliminary results from my root response size research.
5 At KSK@2048, ZSK@1024, only the ./ANY response will truncate (set
6 the TC bit), and only ./RRSIG response will change (but not set TC)
7 with a max UDP size at 1400.
9 Capping our UDP response size is quite safe, and most users will
10 not be able to tell that we are doing it.
14 * Created a testbed with a signed root with one 2048-bit KSK, one
15 1024-bit ZSK, and (for now) an unsigned root-servers.net zone.
17 * BIND 9.6 was used as the authoritative server (so the
18 minimal-dnskey-response behavior was in effect).
20 * A python script was created using the dnspython package. This
23 1. Read the contents of the signed root zone file, and for every
24 name/type pair (except A/AAAA):
26 1.1. Query for the name/type with EDNS0, DO=1, BUFSIZE=4096 via
29 1.2. Record the resulting response size.
31 1.3. Find the "minimum no TC" size by parsing the response,
32 clearing the additional section, re-encoding into
33 compressed wire format, then recording the size. Because
34 of the way the dnspython dns.message class works, the OPT
37 1.4. Calculate the additional amount of space that would be
38 taken up if a maximum sized qname was given (essentially,
39 255 - len(qname)). Note that this only matters for
40 referrals and NXDOMAIN responses. Other responses require
43 2. For every unique name:
45 2.1. Query for the qname/ANY with EDNS0, DO=1, BUFSIZE=4096 via
46 UDP and record the resulting response size.
48 2.2. Query for "qname_/A". This was to elicit an NXDOMAIN
49 response from every NSEC gap. Record the resulting
52 2.3. Calculate the additional amount of space for a maximum
53 sized qname for the NXDOMAIN response.
55 3. For each query, output:
56 <full size><tab><min no tc size><tab><max qname diff><tab><qname/qtype>
58 4. Calculate histograms for referrals, nxdomains, and other
64 * "Maximum truncation size" is basically the size of a response without
65 the additional records, but with a 255-byte qname. Note that
66 NXDOMAIN responses don't have additional section records.
67 * "Maximum overall size" is the size of a response *with* the
68 additional records and with a 255-byte qname.
69 * "Full response size" is the size of the response with the additional
70 section (if any), but with the given qname.
72 Referral sizes (Maximum truncation sizes):
73 range [501 - 717] min: NF/NS, max: AN/NS
80 Referral sizes (Maximum overall sizes):
81 range [533 - 1057] min: NF/NS, max: AERO/NS
92 NXDOMAIN sizes (Maximum truncation sizes):
93 range [697 - 914] min: @_/A, max: XN--HGBK6AJ7F53BBA_/A
98 Other response sizes (Full response sizes):
99 range [282 - 1906] min: NF/ANY, max: @/ANY
113 The two responses over 1500 are ./RRSIG and ./ANY:
117 1561 1157 254 @/RRSIG
120 The ./RRSIG response will shrink to 1157 bytes before setting TC, but the
121 ./ANY response will always set TC.