A DNSSEC irony
Edward Lewis
Ed.Lewis at neustar.biz
Thu Aug 6 14:19:18 UTC 2009
At 15:53 -0700 8/5/09, Douglas Otis wrote:
>DNSSEC UDP will likely become problematic.
dotORG (.org) is DNSSEC signed now.
nanog.org is DNSSEC signed now.
Still getting mail on the list saying "DNSSEC UDP will be a problem"...
(from some commercial's punch line)
...priceless
Continuing,
>This might be due to reflected attacks, fragmentation related
>congestion, or packet loss.
The same issues (related to the size of DNSSEC answers) are also true
for the size of IPv6 answers (AAAA RR) and the size of ENUM (NAPTR
RR) answers. I.e., the perceived issues related to stuffing data
into larger (than 512B) datagrams aren't unique to DNSSEC. So, if
you are paranoid about DNSSEC now, don't worry, there's more to be
paranoid about around the corner.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
More information about the NANOG
mailing list