|
|
|
|
|
|
by fanf2
977 days ago
|
|
|
Dunno why there are so many foot-draggers failing to deploy better DNSSEC algorithms. I’m grumpy about SHA-1 in particular https://datatracker.ietf.org/doc/html/draft-fanf-dnsop-sha-l... When I query vjhv.verisign.com I get a response containing four 2048 bit RSA-SHA-2 signatures in 1049 bytes which is well within the EDNS MTU for unfragmented UDP, so I’m not convinced the problem is as bad as you paint it. There have been problems with EDNS trying to use fragmented UDP, but that has been reduced a lot by newer software being more cautious about message size limits for DNS over UDP. DNS needs TCP even in the absence of DNSSEC, because there are queries you cannot resolve without it. Some operators might convince themselves they can get away without it, but they will probably suffer subtle breakage. |
|
|
I was referring to the non-EDNS 512-byte limit.
Yes, you get ~2.5 times more with EDNS. Still, four records is not a lot.
> DNS needs TCP even in the absence of DNSSEC, because there are queries you cannot resolve without it.
Theoretically? Perhaps. Some would argue that connectionless DNS is valuable enough that people should not create those resource records. Before DNSSEC that was a working consensus. And with ECC it could be once again.