[ksk-rollover] 答复: 答复: Observation on Large response issue during Yeti KSK rollover

Olaf Kolkman kolkman at isoc.org
Mon Aug 21 14:23:07 UTC 2017

On 3 Aug 2017, at 7:33, Davey Song wrote:

> Geoff reported that 17% of resolvers cannot ask a query in TCP. So probably in extreme case there are 0.34% of IPv6 resolvers around the world will fail to validate the answers. 0.34% of millions (if IPv6 dominant), It is not a trivial number.

Is the set of resolvers that cannot ask a TCP query (inversely) correlated with resolvers that do DNSSEC? I would assume that a DNSSEC capable resolver will happily resolve over TCP. I can't imagine that there is a 17% prevalence of TCP blocking firewalls. But who knows…

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170821/5932bce9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3763 bytes
Desc: S/MIME digital signature
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170821/5932bce9/smime.p7s>

More information about the ksk-rollover mailing list