Does DNSSEC increased packet size reach end computers?

[Mark Andrews]

There are some applications that will do DNSSEC.  You should assume that any application may ask for DNSSEC records and that is normal.  DNSSEC was designed from the very beginning to be validated in the application and only works fully when that is done.  The recursive server still needs to validate the responses to prevent the cache being poisoned by spoofed responses.  The clients will switch between UDP and TCP to get the responses they need.

The AD bit is only to be trusted if there is channel security and you trust the recursive server.

Mark

> On 12 Apr 2023, at 05:11, Bob Harold <rharolde at umich.edu> wrote:
> 
> I was in the process of setting up a test server with DNSSEC signed domains, and asking users to point at the test server to see if the larger packets affected their application, when I realized I might be wrong.
> DNS Resolvers will get bigger responses from DNS Authoritative servers because of DNSSEC signatures.  But clients, running stub resolvers, will likely set the +AD flag and expect the DNS Resolver to validate, but the client will get a response that does not include any DNSSEC records.  Is that correct?
> 
> So I only need to worry about increased packet sizes between DNS Resolvers and DNS Authoritative servers?
> 
> (Granted, the actual answer size to the client could be large enough to cause fall-back to TCP, but that is not because of DNSSEC.)
> 
> -- 
> Bob Harold
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org