Skip to main content

DO=1 Queries and small reply size limits at the Root

Recently, the U.S. Department of Commerece, ICANN, and Verisign announced their cooperation to get the DNS Root zone signed by the end of 2009. Anyone who has had the pleasure of signing a DNS zone knows that the DNSSEC keys and signatures are much larger than most DNS resource records (and not particularly pretty, either). There is some concern among DNS operators that a signed root zone will lead to truncated responses and queries arriving over TCP, rather than UDP. RFC 4035 has something to say about DNSSEC and message sizes:
A security-aware name server MUST support the EDNS0 ([RFC2671]) message size extension, MUST support a message size of at least 1220 octets, and SHOULD support a message size of 4000 octets.
DNS-OARC looked at EDNS data last year and found about 65% of queries used EDNS and a message size of 4096, a little less than 35% did not use EDNS at all, and a very small percentage used EDNS with an advertized message size of 512 bytes. More recently we've been asked to look at EDNS message sizes again and see how often a root server receives queries with the DO bit set and a message size of 512 bytes. The results of our analysis of the DITL 2009 data are below: The first graph (above) shows distributions of queries received from three classes of clients: No EDNS, EDNS with the DNSSEC OK bit clear, and EDNS with the DNSSEC OK bit set. For example, in this plot we can see that "DO=1" queries were received from about one million different clients, the busiest of that group sent more than 10 million queries in this 72 hour period. The "No EDNS" group sent fewer queries overall, but there are more clients in that group. The second graph shows, again, that about 65% of queries arrive with DO=1 and a buffer size of 4096. These DNS clients meet the requirements of RFC 4035 should be fine with respect to large DNSSEC responses. The blue area represents the approximately 31% of queries that lack EDNS. These should be fine also, since they are not requesting to be sent any DNSSEC records. However, the green area beneath the blue shows that about 2% of queries arrive with DO=1 and a message size of 512 bytes. If these clients switch to TCP, it could present a significant load to the root server system. The final graph shows a distribution, similar to the first, for the clients in this "DO=1 512 bytes" category. In this 72 hour period, the root server received such queries from about 75,000 unique sources.