large organization nameservers sending icmp packets to dns servers.

Paul Vixie vixie at
Thu Aug 9 22:58:40 UTC 2007

Valdis.Kletnieks at writes:

> > ... advising folks to monitor their authority servers to find out how
> > many truncated responses are going out and how many TCP sessions result
> > from these truncations and how many of these TCP sessions are killed by
> > the RFC1035 4.2.2 connection management logic, and if the numbers seem
> > high, then they ought to change their applications and DNS content so
> > that truncations no longer result.
> How does the (eventual) deployment of DNSSEC change these numbers?

DNSSEC cannot be signalled except in EDNS.

> And who's likely to feel *that* pain first?

the DNSSEC design seems to distribute pain very fairly.
Paul Vixie

More information about the NANOG mailing list