Folks
In RIPE 62, I had a presentation about response size of DNS with DNSSEC.
Somebody was interested about reply size of JP's DNSKEY.
(slide 9)
In this slide, the response size of JP's DNSKEY was 1203 octets. Last
week(July 7), we have changed it.
$ dig +dnssec jp dnskey | grep SIZE
;; MSG SIZE rcvd: 893
Here is the size of packet.
-----------------------
KSK of DNSKEY 276
ZSK of DNSKEY 148
RRSIG by KSK 290
RRSIG by ZSK 162
-----------------------
----------------------
DNS Header 12
Question section 8 JP:4 class:2 type:2
EDNS0 11
----------------------
Before July 7, response of DNSKEY had 1 KSK, 3 ZSK, 1 RRSIG by KSK, and
1 RRSIG by ZSK.
12 + 8 + 11 + 276*1 + 148*3 + 290*1 + 162*1 = 1203
After July 7, response of DNSKEY has 1 KSK, 2 ZSK and 1 RRSIG by KSK.
12 + 8 + 11 + 276*1 + 148*2 + 290*1 + 162*0 = 893
It is current result.
* KSK rollover
In KSK rollover, we will use the double signature key rollover.
12 + 8 + 11 + 276*2 + 148*2 + 290*2 + 162*0 = 1459
Of course, IP and UDP header are needed in real packet,
IPv4 IPv6
IP 20 40
UDP 8 8
--------------------
total 28 48
The size of packet in KSK rollover, IPv4 is 1487, IPv6 is 1507.
1507 is bigger than traditional MTU. :-(
If the ZSK is only one when KSK rollover, its response size is 1311.
12 + 8 + 11 + 276*2 + 148*1 + 290*2 + 162*0 = 1311
In this condition, IPv4 is 1339, IPv6 is 1359. It's ok. :-)
It is a bit trouble. But, we will do our best.
Unfortunately it is impossible to less than 1280 in current condition.
I think that ECC (Elliptic Curve Cryptography) can clear under 1280.
Regards,
--
minmin / Masato Minda <minmin(a)jprs.co.jp>
Research and Development Dept.
Japan Registry Services Co., Ltd. (JPRS)
