[Yeti DNS Discuss] Dealing with IPv6 Fragmentation in the DNS

Daniel Stirnimann daniel.stirnimann at switch.ch
Thu Aug 24 12:36:04 UTC 2017

>> Which is fine except for the unfortunate observation that some 17%
>> of resolvers appear to have some kind of broken firewall  in front
>> of them that prevents them from establishing a TCP session.
> Wild guess: resolvers in such broken environments are probably not
> validating resolvers and thus will probably never request anything
> larger than 1200/1400 bytes.

this is an interesting thread and reminds me that the best for DNSSEC is
to move to ECDSA. The number of validation revolvers not understanding
ECDSA is less of a problem then the number of revolvers having problems
with fragmentation / tcp.

Thank you Geoff for all your measurements in this area.


More information about the discuss mailing list