Does DNSSEC increased packet size reach end computers?
Josh Kuo
josh.kuo at gmail.com
Tue Apr 11 20:36:28 UTC 2023
You are correct. Normal stub resolvers on desktop clients or mobile devices
only see the AD flag (or SERVFAIL when validation fails). They will only
get all the additional DNSSEC record types if they used the +dnssec option
in dig (which sets the DO bit in the outbound query).
On Tue, Apr 11, 2023 at 3:12 PM Bob Harold <rharolde at umich.edu> wrote:
> I was in the process of setting up a test server with DNSSEC signed
> domains, and asking users to point at the test server to see if the larger
> packets affected their application, when I realized I might be wrong.
> DNS Resolvers will get bigger responses from DNS Authoritative servers
> because of DNSSEC signatures. But clients, running stub resolvers, will
> likely set the +AD flag and expect the DNS Resolver to validate, but the
> client will get a response that does not include any DNSSEC records. Is
> that correct?
>
> So I only need to worry about increased packet sizes between DNS Resolvers
> and DNS Authoritative servers?
>
> (Granted, the actual answer size to the client could be large enough to
> cause fall-back to TCP, but that is not because of DNSSEC.)
>
> --
> Bob Harold
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230411/ba2d6d3d/attachment-0001.htm>
More information about the bind-users
mailing list