Does DNSSEC increased packet size reach end computers?
Bob Harold
rharolde at umich.edu
Tue Apr 11 19:11:14 UTC 2023
I was in the process of setting up a test server with DNSSEC signed
domains, and asking users to point at the test server to see if the larger
packets affected their application, when I realized I might be wrong.
DNS Resolvers will get bigger responses from DNS Authoritative servers
because of DNSSEC signatures. But clients, running stub resolvers, will
likely set the +AD flag and expect the DNS Resolver to validate, but the
client will get a response that does not include any DNSSEC records. Is
that correct?
So I only need to worry about increased packet sizes between DNS Resolvers
and DNS Authoritative servers?
(Granted, the actual answer size to the client could be large enough to
cause fall-back to TCP, but that is not because of DNSSEC.)
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230411/ad579eaf/attachment.htm>
More information about the bind-users
mailing list