Mark, I didn't see any reply to this; do you have anything to add?
Do you think this flawed assumption could be the cause of the surge in
TCP queries we have been seeing?
Most referrals even when signed will still fit in 512 bytes.
For most TLDs, for most referrals, this is *not* the case.
Most TLDs use NSEC3+OptOut and most registered zones within them don't
sign, so an unsigned-referral proof is required.
I'm seeing in the region of ~600 bytes (580 to 620), 583 was the
smallest I could find (without trying /too/ hard)
$ dig +norec +dnssec @a-dns.pl. far.pl
There is also the very high level of NXDOMAINs that TLDs often see to be
considered.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
