philip.homburg@ripe.net:
The probes are already measuring this. I don't think we made any graphs of the results.
Do you also measure whether the path to root servers (other DNS servers?) allow for fragmented UDP packets? If you announce an EDNS(0) buffer size of 4K and ask for some DNSSEC related records, you often receive fragmented UDP messages. It would be interesting to see whether those fragments make it back to the client. If not, there will be timeouts and TCP resends, which I call bad (YMMV). The query produced by the command dig @X.root-servers.net . ANY +dnssec ticles the root servers to send a 3966-byte message, which triggers interesting behaviour in my neck of the woods - such as fragment reordering and consequential reassembly failure - so it's important to not only look at the IP result of the query, but to actually look at the arriving packets. Just a thought ... Cheers, /Lars-Johan Liman #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: liman@netnod.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod Internet Exchange, Stockholm ! http://www.netnod.se/ #----------------------------------------------------------------------