At 15:53 -0700 8/5/09, Douglas Otis wrote:
DNSSEC UDP will likely become problematic.
dotORG (.org) is DNSSEC signed now. nanog.org is DNSSEC signed now. Still getting mail on the list saying "DNSSEC UDP will be a problem"... (from some commercial's punch line) ...priceless Continuing,
This might be due to reflected attacks, fragmentation related congestion, or packet loss.
The same issues (related to the size of DNSSEC answers) are also true for the size of IPv6 answers (AAAA RR) and the size of ENUM (NAPTR RR) answers. I.e., the perceived issues related to stuffing data into larger (than 512B) datagrams aren't unique to DNSSEC. So, if you are paranoid about DNSSEC now, don't worry, there's more to be paranoid about around the corner. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction.