I have some preliminary results from my root response size research. Executive Summary: At KSK@2048, ZSK@1024, only the ./ANY response will truncate (set the TC bit), and only ./RRSIG response will change (but not set TC) with a max UDP size at 1400. Capping our UDP response size is quite safe, and most users will not be able to tell that we are doing it. Methodology: * Created a testbed with a signed root with one 2048-bit KSK, one 1024-bit ZSK, and (for now) an unsigned root-servers.net zone. * BIND 9.6 was used as the authoritative server (so the minimal-dnskey-response behavior was in effect). * A python script was created using the dnspython package. This script would: 1. Read the contents of the signed root zone file, and for every name/type pair (except A/AAAA): 1.1. Query for the name/type with EDNS0, DO=1, BUFSIZE=4096 via UDP 1.2. Record the resulting response size. 1.3. Find the "minimum no TC" size by parsing the response, clearing the additional section, re-encoding into compressed wire format, then recording the size. Because of the way the dnspython dns.message class works, the OPT record was perserved. 1.4. Calculate the additional amount of space that would be taken up if a maximum sized qname was given (essentially, 255 - len(qname)). Note that this only matters for referrals and NXDOMAIN responses. Other responses require an exact qname match. 2. For every unique name: 2.1. Query for the qname/ANY with EDNS0, DO=1, BUFSIZE=4096 via UDP and record the resulting response size. 2.2. Query for "qname_/A". This was to elicit an NXDOMAIN response from every NSEC gap. Record the resulting response size. 2.3. Calculate the additional amount of space for a maximum sized qname for the NXDOMAIN response. 3. For each query, output: 4. Calculate histograms for referrals, nxdomains, and other responses and output. Results: * "Maximum truncation size" is basically the size of a response without the additional records, but with a 255-byte qname. Note that NXDOMAIN responses don't have additional section records. * "Maximum overall size" is the size of a response *with* the additional records and with a 255-byte qname. * "Full response size" is the size of the response with the additional section (if any), but with the given qname. Referral sizes (Maximum truncation sizes): range [501 - 717] min: NF/NS, max: AN/NS [448 - 511] : 7 [512 - 575] : 98 [576 - 639] : 128 [640 - 703] : 45 [704 - 767] : 3 Referral sizes (Maximum overall sizes): range [533 - 1057] min: NF/NS, max: AERO/NS [512 - 575] : 16 [576 - 639] : 59 [640 - 703] : 55 [704 - 767] : 60 [768 - 831] : 26 [832 - 895] : 42 [896 - 959] : 14 [960 - 1023] : 6 [1024 - 1087] : 3 NXDOMAIN sizes (Maximum truncation sizes): range [697 - 914] min: @_/A, max: XN--HGBK6AJ7F53BBA_/A [640 - 703] : 1 [832 - 895] : 270 [896 - 959] : 10 Other response sizes (Full response sizes): range [282 - 1906] min: NF/ANY, max: @/ANY [256 - 319] : 32 [320 - 383] : 112 [384 - 447] : 106 [448 - 511] : 122 [512 - 575] : 60 [576 - 639] : 82 [640 - 703] : 28 [704 - 767] : 15 [768 - 831] : 4 [960 - 1023] : 282 [1536 - 1599] : 1 [1856 - 1919] : 1 The two responses over 1500 are ./RRSIG and ./ANY: full min qname label --- --- ----- ----- 1561 1157 254 @/RRSIG 1906 1502 254 @/ANY The ./RRSIG response will shrink to 1157 bytes before setting TC, but the ./ANY response will always set TC.