[Cda] DNS packet size issues
ALAIN AINA
aalain at nsrc.org
Fri Jul 26 19:51:15 EAT 2024
Dear All,
You may remembered our discussions about the dns packet size issue with “.bj” dnskey RR with KSK of 4096 bits and ZSK of 2048 bits and the ongoing ZSK rollover. I took the liberty to use ripe atlas to emphasise the scope of the problem.
I ran various measurements for 3 days with 20 IPv4 probes randomly selected for each. The summary of the query and the results are presented below:
==============
1- .mg soa +dnssec (resolv on probe)
https://atlas.ripe.net/measurements/76126605/
13 responses with signature
6 response without signature
2- .bj soa +dnssec (resolv on probe)
https://atlas.ripe.net/measurements/76127007/
11 response with signature
2 no answer Available (timeout)
5 responses without signature
3- .bj dnskey bufsize=1232 +dnssec (resolv on probe)
https://atlas.ripe.net/measurements/76126967/
2 server failed
14 no answers available (no Error)
1 answer with signature
5 answers without signature
4- .bj dnskey +dnssec +tcp (resolv on probe)
https://atlas.ripe.net/measurements/76127724/
2 no answers available
7 responses with signature
10 did not reach their target
======
The outcomes of the measurements 3&4 present the scope of the issue.
Bon weekend
—Alain
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.aftld.org/pipermail/cda/attachments/20240726/095b4555/attachment.sig>
More information about the Cda
mailing list