Preparing for upcoming DNSSEC changes on 5/5

Lightner, Jeff jlightner at
Mon May 3 19:54:39 UTC 2010

To follow up on Peter's question what does it mean if one sees the
"reply size limit is at least" with a value lower than the advertised
EDNS buffer size?

This link talks about various scenarios but not that one so I'm not sure
if this means Peter and I need to be concerned.

I saw similar results as Peter so set my edns-udp-size to 3839 which was
the lower "at least value I saw when it was advertising 4096. (I saw
3843 on the other test.)

On doing that however, I now see the advertised value is 3839 but the
"at least" value is 3828 on one and 3827 on the other as shown below.
Based on that it appears one should NOT set the edns-udp-size as it
doesn't fix the problem.   

The issue 
[root at dswadns1 etc]# dig txt +short
" sent EDNS buffer size 3839"
" summary bs=3839,rs=3828,edns=1,do=1"
" DNS reply size limit is at least 3828 bytes"

[root at dswadns1 etc]# dig +short txt
"Tested at 2010-05-03 19:35:55 UTC"
" sent EDNS buffer size 3839"
" DNS reply size limit is at least 3827"

-----Original Message-----
From: at
[ at] On Behalf
Of Peter Laws
Sent: Monday, May 03, 2010 1:16 PM
To: bind-users at
Subject: Re: Preparing for upcoming DNSSEC changes on 5/5

On 01/-10/37 13:59, Kalman Feher wrote:

> Second, make sure the tested effective size appears in your named.conf
> the options statement "edns-udp-size" on your resolver.
> In your case:
>   edns-udp-size 3843;

Mine are all saying "x.x.x.x sent EDNS buffer size 4096" when I run the test, which I assume is the default.  I, too, get the 3843
least" value.

Why would I set it to 3843?  Wouldn't I want it to be set to 4096 even
*some* device between here and only allows that smaller

I just woke up to this issue, sorry to say.  Interestingly, it didn't
up (directly) during the Educause webinar about DNSSEC last week (.edu
be signed in July).

Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
plaws at
Feedback? Contact my director, Craig Cochell, craigc at Thank you!
bind-users mailing list
bind-users at
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.

More information about the bind-users mailing list