To:
Bill Manning <bmanning@isi.edu>
Cc:
scottr@antd.nist.gov (Scott Rose), dnssec@cafax.se
From:
David Blacka <davidb@verisignlabs.com>
Date:
Tue, 17 Sep 2002 15:28:03 -0400
In-Reply-To:
<200209171814.g8HIE3p03471@boreas.isi.edu> (Bill Manning'smessage of "Tue, 17 Sep 2002 11:14:03 -0700 (PDT)")
Sender:
owner-dnssec@cafax.se
User-Agent:
Gnus/5.090006 (Oort Gnus v0.06) XEmacs/21.4 (Common Lisp,i386-mandrake-linux)
Subject:
Re: key length & fragmentation
>>>>> "Bill" == Bill Manning <bmanning@isi.edu> writes: Bill> See the point above. If IDS/firewalls toss UDP fragments, we Bill> loose. My experience is that keeping DNSSEC messages (plus overhead) below a MTU of 1500 can be sort of difficult and too restrictive besides. My opinion is that the firewall or router that drops UDP fragments is broken. However, if clients behind such broken devices set their EDNS0 max buffer size to something that will fit in the MTU, everything will work. Well, you will probably see a lot of TCP DNS traffic, but it will work. -- David Blacka <davidb@verisignlabs.com> Sr. Engineer Verisign Applied Research