Preparing for upcoming DNSSEC changes on 5/5

Kalman Feher kalman.feher at
Mon May 3 20:09:44 UTC 2010

On 3/05/10 9:54 PM, "Lightner, Jeff" <jlightner at> wrote:

> On doing that however, I now see the advertised value is 3839 but the
> "at least" value is 3828 on one and 3827 on the other as shown below.
> Based on that it appears one should NOT set the edns-udp-size as it
> doesn't fix the problem.
This appears to be due to the nature of the testing tool.

Refer to the "How it works" section here:

You probably won't get an exact match due to its search method.

This may also place doubt on the maximum UDP size you are capable of. The
best way to find out for certain, is to try querying something that is
exactly 4096 and seeing if you get a truncated response (thus switching to

Note that this is further investigation is not required for 5/5. But its
always good to understand your network's limits. And may become more useful
in the coming months and years as DNSSEC pushes average query sizes up.

Kal Feher | Melbourne IT | Malmö, Sweden | ph: +46 406 919185 | mob: +46 734

More information about the bind-users mailing list