[dns-wg] Response size of JP's DNSKEY was changed

Folks

In RIPE 62, I had a presentation about response size of DNS with DNSSEC.
Somebody was interested about reply size of JP's DNSKEY.
(slide 9)

In this slide, the response size of JP's DNSKEY was 1203 octets. Last
week(July 7), we have changed it.

  $ dig +dnssec jp dnskey | grep SIZE
  ;; MSG SIZE  rcvd: 893

Here is the size of packet.
    -----------------------
    KSK of DNSKEY	276
    ZSK of DNSKEY	148
    RRSIG by KSK	290
    RRSIG by ZSK	162
    -----------------------
    ----------------------
    DNS Header		12
    Question section	 8	JP:4 class:2 type:2
    EDNS0		11
    ----------------------

Before July 7, response of DNSKEY had 1 KSK, 3 ZSK, 1 RRSIG by KSK, and
1 RRSIG by ZSK.

  12 + 8 + 11 + 276*1 + 148*3 + 290*1 + 162*1 = 1203

After July 7, response of DNSKEY has 1 KSK, 2 ZSK and 1 RRSIG by KSK.

  12 + 8 + 11 + 276*1 + 148*2 + 290*1 + 162*0 = 893

It is current result.


* KSK rollover

In KSK rollover, we will use the double signature key rollover.

   12 + 8 + 11 + 276*2 + 148*2 + 290*2 + 162*0 = 1459

Of course, IP and UDP header are needed in real packet,

   		IPv4	  IPv6
	IP	20	  40
	UDP	 8	   8
        --------------------
	total   28        48

The size of packet in KSK rollover, IPv4 is 1487, IPv6 is 1507.
1507 is bigger than traditional MTU. :-(

If the ZSK is only one when KSK rollover, its response size is 1311.

   12 + 8 + 11 + 276*2 + 148*1 + 290*2 + 162*0 = 1311

In this condition, IPv4 is 1339, IPv6 is 1359. It's ok. :-)
It is a bit trouble. But, we will do our best.

Unfortunately it is impossible to less than 1280 in current condition.
I think that ECC (Elliptic Curve Cryptography) can clear under 1280.

Regards,

--
minmin / Masato Minda <minmin at jprs.co.jp>
Research and Development Dept.
Japan Registry Services Co., Ltd. (JPRS)