Response size of JP's DNSKEY was changed
Folks In RIPE 62, I had a presentation about response size of DNS with DNSSEC. Somebody was interested about reply size of JP's DNSKEY. (slide 9) In this slide, the response size of JP's DNSKEY was 1203 octets. Last week(July 7), we have changed it. $ dig +dnssec jp dnskey | grep SIZE ;; MSG SIZE rcvd: 893 Here is the size of packet. ----------------------- KSK of DNSKEY 276 ZSK of DNSKEY 148 RRSIG by KSK 290 RRSIG by ZSK 162 ----------------------- ---------------------- DNS Header 12 Question section 8 JP:4 class:2 type:2 EDNS0 11 ---------------------- Before July 7, response of DNSKEY had 1 KSK, 3 ZSK, 1 RRSIG by KSK, and 1 RRSIG by ZSK. 12 + 8 + 11 + 276*1 + 148*3 + 290*1 + 162*1 = 1203 After July 7, response of DNSKEY has 1 KSK, 2 ZSK and 1 RRSIG by KSK. 12 + 8 + 11 + 276*1 + 148*2 + 290*1 + 162*0 = 893 It is current result. * KSK rollover In KSK rollover, we will use the double signature key rollover. 12 + 8 + 11 + 276*2 + 148*2 + 290*2 + 162*0 = 1459 Of course, IP and UDP header are needed in real packet, IPv4 IPv6 IP 20 40 UDP 8 8 -------------------- total 28 48 The size of packet in KSK rollover, IPv4 is 1487, IPv6 is 1507. 1507 is bigger than traditional MTU. :-( If the ZSK is only one when KSK rollover, its response size is 1311. 12 + 8 + 11 + 276*2 + 148*1 + 290*2 + 162*0 = 1311 In this condition, IPv4 is 1339, IPv6 is 1359. It's ok. :-) It is a bit trouble. But, we will do our best. Unfortunately it is impossible to less than 1280 in current condition. I think that ECC (Elliptic Curve Cryptography) can clear under 1280. Regards, -- minmin / Masato Minda <minmin@jprs.co.jp> Research and Development Dept. Japan Registry Services Co., Ltd. (JPRS)
On Wed, Jul 13, 2011 at 05:30:23PM +0900, Masato Minda <minmin@jprs.co.jp> wrote a message of 71 lines which said:
In this condition, IPv4 is 1339, IPv6 is 1359. It's ok. :-) It is a bit trouble. But, we will do our best.
Unfortunately it is impossible to less than 1280 in current condition.
What's the purpose of this exercice? Many TLD have larger DNSKEY sets (for instance, .FR) and "it works". Is it really a good idea to change the DNSKEY set, just to avoid problems with the minority of broken sites? What is your goal in doing so?
participants (2)
-
Masato Minda
-
Stephane Bortzmeyer