To:
davidb@verisignlabs.com (David Blacka)
Cc:
bmanning@isi.edu, scottr@antd.nist.gov, dnssec@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Tue, 17 Sep 2002 13:00:38 -0700 (PDT)
In-Reply-To:
<kofzw8s9fg.fsf@pinion.admin.cto.netsol.com> from David Blacka at "Sep 17, 2 03:28:03 pm"
Sender:
owner-dnssec@cafax.se
Subject:
Re: key length & fragmentation
% >>>>> "Bill" == Bill Manning <bmanning@isi.edu> writes: % % Bill> See the point above. If IDS/firewalls toss UDP fragments, we % Bill> loose. % % My experience is that keeping DNSSEC messages (plus overhead) below a % MTU of 1500 can be sort of difficult and too restrictive besides. % % My opinion is that the firewall or router that drops UDP fragments is % broken. broken or not, dnssec is a very -small- lever in getting ISP/customer hardware replaced. % However, if clients behind such broken devices set their EDNS0 max % buffer size to something that will fit in the MTU, everything will % work. Well, you will probably see a lot of TCP DNS traffic, but it % will work. TCP has its own sets of performance issues but thats marginally better than random droppage. :) % % -- % David Blacka <davidb@verisignlabs.com> % Sr. Engineer Verisign Applied Research % -- --bill