DNSSEC + IDN + INDccTLD

Mark Andrews Mark_Andrews at isc.org
Mon Sep 1 02:14:47 CEST 2008


> The talk of the town these days is DNSSEC. I worry about the size of 
> an IDNccTLD + IDNs + DNSSEC responses, leading to a quite exclusive 
> use of TCP. I wander if the related delay, security, documentation, 
> operational aspects have been considered?
>
> jfc

	It is not a issue.  DNSSEC => EDNS and unless you are forcing
	EDNS back to 512 bytes almost all referrals will be < 1200
	bytes resulting in single packet responses even over IPv6.
	NXDOMAIN responses are slightly larger but still < 1500.

	Just make sure your firewall correctly processess fragments.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the Idna-update mailing list