minimal-any on master
Jim Popovitch
jimpop at domainmail.org
Mon Sep 5 16:39:07 UTC 2016
On Mon, Sep 05, 2016 at 05:12:47PM +0100, Tony Finch wrote:
> Jim Popovitch via bind-users <bind-users at lists.isc.org> wrote:
> >
> > Thanks. Now I'm seeing something slighly different. I have 3 NS
> > servers, ns{1-3}.domainmail.org.
> >
> > When I first asked 3 days ago I was seeing long ANY repsonses on the
> > master (ns1). Today I am seeing long ANY responses on ns3 (but not
> > ns1). O.o
> >
> > for ns in ns1 ns2 ns3; do dig ANY domainmail.org @$ns.domainmail.org|wc -c; done
> > 591
> > 610
> > 13280
>
> OK, this is SUBTLE.
>
> minimal-any is a bit stupid: it just hands out the first RRset it gets
> out of the guts of BIND without any attempt to choose the smallest or
> otherwise choose an RRset consistently. This means you will get different
> answers from different servers depending on how the zone has changed
> recently - especially if there is churn due to DNSSEC re-signing.
>
> So it is expected that you will get answers of varying sizes. But why such
> a huge variation in this case?
>
> Well, minimal-any doesn't apply to queries over TCP - you get the full
> unexpurgated ANY response over TCP. So, if you use `dig +tcp` you will get
> the huge answer from all your servers. If you use `dig +ignore` (i.e.
> ignore truncation) you will prevent dig from switching from UDP to TCP, so
> you should get a more reliable indication that minimal-any is actually
> working.
>
> Now why are you getting a truncated response?
>
> If I look at the RRsets at the apex of your zone, most of them are pretty
> small, but the DNSKEY RRset is huge. (See script below.) So if your server
> happens to choose the DNSKEY RRset as its response to ANY, that might lead
> to TC and retry over TCP.
Thank you for detailing that Tony, I now have a better understanding.
>
> Your DNSKEY RRset is huge because you have four keys (two KSKs and two
> ZSKs) and four RRSIGs (one for each key).
I call that "full mesh"! :-)
> You can reduce this a bit by setting dnssec-dnskey-kskonly in named.conf.
> This tells BIND to only use KSKs to sign the DNSKEY RRset, which would
> reduce you from 4 signatures to 2.
Done. Thank you for suggesting that.
> You can also be careful when setting up your key rollovers so that only
> one key is active at a time, which would reduce you to 1 signature.
Hmmm, this is counter to what I've believed all along. I thought it was prudent to have key overlap during rollovers. Or are saying only do ZSK rollovers well after the KSK rollover has settled?
> And you can avoid rolling ZSK and KSK at the same time, so you only have 2
> or 3 DNSKEY records.
>
Yes, the current situation is due to unfortunate timing.
-Jim P.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160905/91ba38d5/attachment.bin>
More information about the bind-users
mailing list