Clarification on DNSKEY query
Mark Andrews
marka at isc.org
Wed Feb 22 06:18:10 UTC 2012
In message <CANYqYkMfOGp30KgS4_X=bw2qzBOwencNJ5706VKvfu9o+=SYCw at mail.gmail.com>
, rams writes:
> Hi,
> When I queried a domain with type DNSKEY, I am getting only ANSWER section
> and not returned Authority section. Is it expected?
Yes.
> It would be helpful if you give the RFC number for reference .
Adding NS records to a answer is optional they are only required
for a referral (RFC 1035).
Signed DNSKEY responses tend to be large and by the time a DNSKEY
query is made a recursive server will almost always have the NS
RRset. Similarly for DS queries then recursive server will almost
always have the NS RRset, infact it may have had to make a explict
NS query to find the correct set of nameservers to ask. Adding NS
records and associated glue can push answers over various thresholds
increasing the likelyhood of triggering recovery strategies to work
around mis-configured firewall which often involve falling back to
TCP. To reduce this named turns on minimal-response for DNSKEY and
DS queries.
response > 512
response requires fragmentation
response to big to fit in advertised UDP buffer
Named also turns on minimal-response for EDNS responses where the
UDP buffer size is 512. This again reduces the probability of TCP
fallback being required.
Mark
> Thanks & Regards,
> Ramesh
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list