This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Response size of JP's DNSKEY was changed
- Previous message (by thread): [dns-wg] Analysis of Increased Query Load on Root Name Servers
- Next message (by thread): [dns-wg] Re: Response size of JP's DNSKEY was changed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Masato Minda
minmin at jprs.co.jp
Wed Jul 13 10:30:23 CEST 2011
Folks In RIPE 62, I had a presentation about response size of DNS with DNSSEC. Somebody was interested about reply size of JP's DNSKEY. (slide 9) In this slide, the response size of JP's DNSKEY was 1203 octets. Last week(July 7), we have changed it. $ dig +dnssec jp dnskey | grep SIZE ;; MSG SIZE rcvd: 893 Here is the size of packet. ----------------------- KSK of DNSKEY 276 ZSK of DNSKEY 148 RRSIG by KSK 290 RRSIG by ZSK 162 ----------------------- ---------------------- DNS Header 12 Question section 8 JP:4 class:2 type:2 EDNS0 11 ---------------------- Before July 7, response of DNSKEY had 1 KSK, 3 ZSK, 1 RRSIG by KSK, and 1 RRSIG by ZSK. 12 + 8 + 11 + 276*1 + 148*3 + 290*1 + 162*1 = 1203 After July 7, response of DNSKEY has 1 KSK, 2 ZSK and 1 RRSIG by KSK. 12 + 8 + 11 + 276*1 + 148*2 + 290*1 + 162*0 = 893 It is current result. * KSK rollover In KSK rollover, we will use the double signature key rollover. 12 + 8 + 11 + 276*2 + 148*2 + 290*2 + 162*0 = 1459 Of course, IP and UDP header are needed in real packet, IPv4 IPv6 IP 20 40 UDP 8 8 -------------------- total 28 48 The size of packet in KSK rollover, IPv4 is 1487, IPv6 is 1507. 1507 is bigger than traditional MTU. :-( If the ZSK is only one when KSK rollover, its response size is 1311. 12 + 8 + 11 + 276*2 + 148*1 + 290*2 + 162*0 = 1311 In this condition, IPv4 is 1339, IPv6 is 1359. It's ok. :-) It is a bit trouble. But, we will do our best. Unfortunately it is impossible to less than 1280 in current condition. I think that ECC (Elliptic Curve Cryptography) can clear under 1280. Regards, -- minmin / Masato Minda <minmin at jprs.co.jp> Research and Development Dept. Japan Registry Services Co., Ltd. (JPRS)
- Previous message (by thread): [dns-wg] Analysis of Increased Query Load on Root Name Servers
- Next message (by thread): [dns-wg] Re: Response size of JP's DNSKEY was changed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]