A DNSSEC irony

Edward Lewis Ed.Lewis at neustar.biz
Thu Aug 6 09:19:18 CDT 2009

At 15:53 -0700 8/5/09, Douglas Otis wrote:

>DNSSEC UDP will likely become problematic.

dotORG (.org) is DNSSEC signed now.
nanog.org is DNSSEC signed now.
Still getting mail on the list saying "DNSSEC UDP will be a problem"...
     (from some commercial's punch line)


>This might be due to reflected attacks, fragmentation related 
>congestion, or packet loss.

The same issues (related to the size of DNSSEC answers) are also true 
for the size of IPv6 answers (AAAA RR) and the size of ENUM (NAPTR 
RR) answers.  I.e., the perceived issues related to stuffing data 
into larger (than 512B) datagrams aren't unique to DNSSEC.  So, if 
you are paranoid about DNSSEC now, don't worry, there's more to be 
paranoid about around the corner.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.

More information about the NANOG mailing list