- Capping our UDP response size is quite safe, and most users will
- not be able to tell that we are doing it.
+Recommendations:
+
+ 1) Use the "minimal-dnskey-response" behavior for the root
+ servers. This behavior is supported by RDNS 2.3.2 and NCDNS 1.1.1
+ (as well as BIND 9.6 and NSD 3.2.3).
+
+ 2) Cap our UDP responses sizes to 1472 (or optionally less, down to
+ 1400). The results below will show that this is safe. In fact,
+ unless a user does a ./ANY or ./RRSIG (or similar query for arpa),
+ they won't be able to tell we are capping. This is supported by
+ RDNS 2.3.2 (via the "max_udp_size" option) and NCDNS 1.1.1 (via the
+ max_edns_response_size" PE config parameter).