|
|
|
|
|
|
by enzanki_ars
1420 days ago
|
|
|
Cloudflare also outlines the following reason in the linked blog post: > "The reason this matters so much is that the maximum size of an unsigned UDP packet is typically 512 octets. DNSSEC requires support for at least 1220 octets long messages over UDP, but above that limit, the client may need to upgrade to DNS over TCP. A good practice is to keep enough headroom in order to keep response sizes below fragmentation threshold during zone signing key rollover periods." |
|
|