DNSSEC provides immense security, but it comes with a 'tax'. By adding large cryptographic keys and signatures to every response, we are pushing the limits of the original DNS protocol, which was designed for tiny packets.
Original DNS over UDP had a hard limit of 512 bytes. A la standard A record is tiny, but a DNSSEC response (containing the A record, the RRSIG, and potentially the DNSKEY) often exceeds 1,000 bytes. If a response is too large, the server must either truncate the packet (setting the 'TC' bit) or the packet will be dropped by the network.
๐ก EDNS0 (Extension Mechanisms for DNS) was created to solve this. It allows the client and server to agree on a larger UDP packet size (e.g., 4096 bytes) before the query starts.
In the output above, the `udp: 4096` tells the server that the client can handle larger packets. If the server does not support EDNS0, it will truncate the response and force the client to retry over TCP.
Even if EDNS0 is enabled, large UDP packets are often fragmented by routers. Many corporate firewalls and ISPs view UDP fragments as a sign of a DoS attack and drop them immediately. This creates 'DNS Black Holes' where DNSSEC-signed domains are unreachable for users behind strict firewalls.
โ ๏ธ This is the 'DNSSEC Paradox': The more security you add to the packet (longer keys $ ightarrow$ larger signatures), the more likely the packet is to be dropped by a firewall.
| Issue | Root Cause | Impact | Mitigation |
|---|---|---|---|
| Truncation | 512-byte limit | Force TCP fallback (Slow) | Enable EDNS0 |
| Fragmentation | Large UDP packets | Packet loss / SERVFAIL | Reduce key size (use ECDSA) |
| Amplification | Large responses | DDoS potential | Response Rate Limiting (RRL) |
| CPU Load | Cryptographic checks | Slower resolution | Hardware Acceleration |
To avoid fragmentation, the industry is moving away from RSA and toward **ECDSA (Elliptic Curve Digital Signature Algorithm)**. An ECDSA key provides the same security as a 2048-bit RSA key but is significantly smaller. This keeps the total DNS response size below the typical MTU (Maximum Transmission Unit) of 1500 bytes.
Avoid using the 'Force TCP' option for all DNS queries. TCP involves a 3-way handshake, which is significantly slower than UDP and can easily overwhelm a DNS server under load.
Verify exercises to earn โ 160 XP and unlock next lab level.