[98508] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Aug 10 11:21:15 2007
To: Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 09 Aug 2007 22:58:40 -0000."
<g3bqdgfh7j.fsf@sa.vix.com>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 10 Aug 2007 11:14:55 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1186758895_6376P
Content-Type: text/plain; charset=us-ascii
On Thu, 09 Aug 2007 22:58:40 -0000, Paul Vixie said:
> > How does the (eventual) deployment of DNSSEC change these numbers?
>
> DNSSEC cannot be signalled except in EDNS.
Right. Elsewhere in this thread, somebody discussed ugly patches to keep
the packet size under 512. I dread to think how many different ways of
"protecting" DNS are deployed that will break EDNS, and just haven't been
noticed because there's little enough *actual* EDNS breakage that it's down
in the noise of *other* "random voodoo" breakage at those sites.
> > And who's likely to feel *that* pain first?
>
> the DNSSEC design seems to distribute pain very fairly.
I actually meant "which 800 pound gorilla is going to try this first and
find all the bustifications", but your answer is good too.. :)
--==_Exmh_1186758895_6376P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFGvIDvcC3lWbTT17ARAgXAAKDl7+v11YBWMgdQSgzsMeTrD7XxrwCgoMD3
qWuZ5FBnNSvRFwWKaXYyVS8=
=P2F6
-----END PGP SIGNATURE-----
--==_Exmh_1186758895_6376P--
