Executive Summary: At KSK@2048, ZSK@1024, only the ./ANY and ARPA/ANY responses will truncate (set the TC bit), and only ./RRSIG and ARPA responses will change (but not set TC) with a max UDP size at 1400. Recommendations: 1) Use the "minimal-dnskey-response" behavior for the root servers. This behavior is supported by RDNS 2.3.2 and NCDNS 1.1.1 (as well as BIND 9.6.x and NSD 3.2.3). 2) Cap our UDP responses sizes to 1472 (or optionally less, down to 1400). The results below will show that this is safe. In fact, unless a user does a ./ANY or ./RRSIG (or similar query for arpa), they won't be able to tell we are capping. This is supported by RDNS 2.3.2 (via the "max_udp_size" option) and NCDNS 1.1.1 (via the max_edns_response_size" PE config parameter). Methodology: * Created a testbed with a signed root with one 2048-bit KSK, one 1024-bit ZSK, a signed arpa with the same key sizes, and (for now) an unsigned root-servers.net zone. * BIND 9.6 was used as the authoritative server, so the minimal-dnskey-response behavior was in effect. * A python script was created using the dnspython package. This script would: 1. Read the contents of the signed root zone file, and for every name/type pair (except A/AAAA types for root and arpa): 1.1. Query for the name/type with EDNS0, DO=1, and BUFSIZE=4096 via UDP. 1.2. Record the resulting response size. This is the "full" response size. 1.3. Find the "minimum no TC" size by parsing the response, clearing the additional section, re-encoding into compressed wire format, then recording the size. Because of the way the dnspython dns.message class works, the OPT record was perserved. Testing demonstrated that the size did not change for responses that had no additional section records other than OPT (e.g., NXDOMAIN responses). 1.4. Calculate the additional amount of space that would be taken up if a maximum sized qname was given (essentially, 255 - len(qname)). Note that this only matters for referrals and NXDOMAIN responses. Other responses require an exact qname match. 2. For every unique name: 2.1. Query for the qname/ANY with EDNS0, DO=1, BUFSIZE=4096 via UDP and record the resulting response size. 2.2. Query for "qname_/A". This was to elicit an NXDOMAIN response from every NSEC gap. Record the resulting response size. 2.3. Calculate the additional amount of space for a maximum sized qname for the NXDOMAIN response. 3. For each query, output: 4. Calculate histograms for referrals, nxdomains, and other responses and output. Results: * "Maximum overall size" is the size of a response with the additional records and with a 255-byte qname. * "Full response size" is the size of the response with the additional section (if any), but with the given qname. Referral sizes (Maximum overall sizes): range [522 - 1057] min: root-servers.net./NS, max: AERO/NS [512 - 576) : 17 [576 - 640) : 63 [640 - 704) : 56 [704 - 768) : 59 [768 - 832) : 27 [832 - 896) : 41 [896 - 960) : 15 [960 - 1024) : 8 [1024 - 1088) : 3 NXDOMAIN sizes (Maximum overall sizes): range [697 - 914] min: @_/A, max: XN--HGBK6AJ7F53BBA_/A [640 - 704) : 22 [832 - 896) : 270 [896 - 960) : 10 Other response sizes (Full response sizes): range [105 - 1906] min: A.ROOT-SERVERS.NET./NSEC, max: @/ANY [64 - 128) : 14 [256 - 320) : 62 [320 - 384) : 125 [384 - 448) : 122 [448 - 512) : 123 [512 - 576) : 60 [576 - 640) : 80 [640 - 704) : 30 [704 - 768) : 16 [768 - 832) : 4 [896 - 960) : 1 [960 - 1024) : 295 [1024 - 1088) : 13 [1536 - 1600) : 3 [1856 - 1920) : 3 The six responses over 1500 are variations of apex RRSIG and ANY queries: full min qname label --- --- ----- ----- 1549 1189 249 ARPA/RRSIG 1549 1189 249 ARPA./RRSIG 1561 1157 254 @/RRSIG 1899 1539 249 ARPA/ANY 1899 1539 249 ARPA./ANY 1906 1502 254 @/ANY Note that the duplicate arpa queries exist because of the arpa entry in both the root zone and the arpa zone. The RRSIG responses will shrink to 1189 or 1157 bytes before setting TC, but the ANY responses will always set TC.