nanog mailing list archives

Previous By Date Next
Previous By Thread Next

A DNSSEC irony

From: Edward Lewis <Ed.Lewis () neustar biz>
Date: Thu, 6 Aug 2009 10:19:18 -0400
At 15:53 -0700 8/5/09, Douglas Otis wrote:


DNSSEC UDP will likely become problematic.


dotORG (.org) is DNSSEC signed now.
nanog.org is DNSSEC signed now.
Still getting mail on the list saying "DNSSEC UDP will be a problem"...
    (from some commercial's punch line)
...priceless

Continuing,
This might be due to reflected attacks, fragmentation related congestion, or packet loss.
The same issues (related to the size of DNSSEC answers) are also true for the size of IPv6 answers (AAAA RR) and the size of ENUM (NAPTR RR) answers. I.e., the perceived issues related to stuffing data into larger (than 512B) datagrams aren't unique to DNSSEC. So, if you are paranoid about DNSSEC now, don't worry, there's more to be paranoid about around the corner. 

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
Previous By Date Next
Previous By Thread Next

Current thread: