minimal-any on master

Tony Finch dot at dotat.at
Mon Sep 5 16:12:47 UTC 2016 

Jim Popovitch via bind-users <bind-users at lists.isc.org> wrote:
>
> Thanks.  Now I'm seeing something slighly different.  I have 3 NS
> servers, ns{1-3}.domainmail.org.
>
> When I first asked 3 days ago I was seeing long ANY repsonses on the
> master (ns1).  Today I am seeing long ANY responses on ns3 (but not
> ns1).  O.o
>
> for ns in ns1 ns2 ns3; do dig ANY domainmail.org @$ns.domainmail.org|wc -c; done
> 591
> 610
> 13280

OK, this is SUBTLE.

minimal-any is a bit stupid: it just hands out the first RRset it gets
out of the guts of BIND without any attempt to choose the smallest or
otherwise choose an RRset consistently. This means you will get different
answers from different servers depending on how the zone has changed
recently - especially if there is churn due to DNSSEC re-signing.

So it is expected that you will get answers of varying sizes. But why such
a huge variation in this case?

Well, minimal-any doesn't apply to queries over TCP - you get the full
unexpurgated ANY response over TCP. So, if you use `dig +tcp` you will get
the huge answer from all your servers. If you use `dig +ignore` (i.e.
ignore truncation) you will prevent dig from switching from UDP to TCP, so
you should get a more reliable indication that minimal-any is actually
working.

Now why are you getting a truncated response?

If I look at the RRsets at the apex of your zone, most of them are pretty
small, but the DNSKEY RRset is huge. (See script below.) So if your server
happens to choose the DNSKEY RRset as its response to ANY, that might lead
to TC and retry over TCP.

Your DNSKEY RRset is huge because you have four keys (two KSKs and two
ZSKs) and four RRSIGs (one for each key).

You can reduce this a bit by setting dnssec-dnskey-kskonly in named.conf.
This tells BIND to only use KSKs to sign the DNSKEY RRset, which would
reduce you from 4 signatures to 2.

You can also be careful when setting up your key rollovers so that only
one key is active at a time, which would reduce you to 1 signature.

And you can avoid rolling ZSK and KSK at the same time, so you only have 2
or 3 DNSKEY records.

$ dig +dnssec +tcp domainmail.org any @ns1.domainmail.org |
  awk '!/^;|^$/ { print $4 }' | sort -u |
  while read t; do echo $t;
    dig +norec +ignore +dnssec domainmail.org $t @ns1.domainmail.org | grep SIZE;
  done
A
;; MSG SIZE  rcvd: 691
AAAA
;; MSG SIZE  rcvd: 703
DNSKEY
;; MSG SIZE  rcvd: 3407
MX
;; MSG SIZE  rcvd: 696
NS
;; MSG SIZE  rcvd: 729
NSEC
;; MSG SIZE  rcvd: 725
RRSIG
;; MSG SIZE  rcvd: 675
SOA
;; MSG SIZE  rcvd: 722
SPF
;; MSG SIZE  rcvd: 727
TXT
;; MSG SIZE  rcvd: 808

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Northwest Hebrides, Bailey: Cyclonic 5 to 7, becoming southwesterly 7 to
severe gale 9. Rough becoming high or very high. Occasional rain. Moderate or
poor, occasionally good.

More information about the bind-users mailing list