On Mar 9, 2010, at 7:17 AM, Matt Larson wrote: > On Mon, 08 Mar 2010, George Barwood wrote: >> It's interesting to note that currently >> >> dig any . @a.root-servers.net +dnssec >> >> truncates, leading to TCP fallback >> >> but >> >> dig any . @l.root-servers.net +dnssec >> >> does not truncate ( response size is 1906 bytes ). > > a.root-servers.net's six anycast instances currently all run BIND 9 > configured with "max-udp-size 1472" to avoid sending responses larger > than the Ethernet MTU. This was a conscious conservative choice and > the infrastructure is capable of handling the resulting increased TCP > load.
I'd set it at 1450 personally, because you do have some encapulation over ethernets (eg, PPPoE, IPSEC) which occur, so if the goal is "almost guarenteed no fragments", you need to leave a little additional headroom. But given the current observed difficulty that resolvers have with fragments, this is, IMO, a very good decision. I hate the idea of enshrining the "resolvers can't handle fragments" into the infrastructure, it really is necessary IMO, for root servers and TLD servers. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
