[ksk-rollover] çå¤: çå¤: Observation on Large response issue during Yeti KSK rollover
Olaf Kolkman
kolkman at isoc.org
Mon Aug 21 14:23:07 UTC 2017
On 3 Aug 2017, at 7:33, Davey Song wrote:
> Geoff reported that 17% of resolvers cannot ask a query in TCP. So probably in extreme case there are 0.34% of IPv6 resolvers around the world will fail to validate the answers. 0.34% of millions (if IPv6 dominant), It is not a trivial number.
Is the set of resolvers that cannot ask a TCP query (inversely) correlated with resolvers that do DNSSEC? I would assume that a DNSSEC capable resolver will happily resolve over TCP. I can't imagine that there is a 17% prevalence of TCP blocking firewalls. But who knows…
—Olaf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170821/5932bce9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3763 bytes
Desc: S/MIME digital signature
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170821/5932bce9/smime.p7s>
More information about the ksk-rollover
mailing list