[nsd-users] authority section blocking aaaa additionals

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Aug 1 08:56:31 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi James,

On 07/31/2013 06:55 PM, James Cloos wrote:
> I’m expermienting with nsd for my secondaries.
> 
> I notice that an MX lookup for my primary zone includes the AAAA
> for only one of the two MXs returned.
> 
> The primary NS, running power, includes the AAAA for both MXs.
> 
> The difference seems to be that power doesn’t send authority
> records, and therefore can fit all nine of the additional records
> which it sends.
> 
> By including the NS set (3 NS and an RRSIG), nsd wants to send 17 
> additional records (determined via a tcp query), but can only fit 
> 11 in udp.
> 
> For the tcp query, dig reports “MSG SIZE  rcvd: 2026” and for the
> udp query it reports “MSG SIZE  rcvd: 1429” which implies that
> nsd’s 4096 default is not the problem.

This is because NSD uses a UDP size limit of 1480 (IPv4) and 1220
(IPv6).  And this is how it truncates the messages.  This is why on
IPv6 you get less data.  And the additional AAAA records do not fit
within this limit.

If you do not want this, use ./configure --disable-minimal-responses
and then it'll use 4096 like you thought you wanted.

> Without dnssec, of course, everything fits.

It is the size.

Best regards,
   Wouter

> The MX whose AAAA is returned happens also to be an NS for the
> zone; I cannot tell whether that is why its AAAA gets included.
> 
> Can nsd be configured to skip the authority block?  Or would that 
> require a recompilation?  Or to put the additionals from the
> answer ahead of the additionals from the authority?
> 
> Amusingly, sending the query via udp/ip6 returns NO AAAA records at
> all, so a v6-only client would need to do explicit AAAA queries for
> each mx after doing the MX query.
> 
> Without the authority section, even a v6 reply with the additionals
> for the mx answer fits into a single ethernet frame.
> 
> -JimC
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR+gafAAoJEJ9vHC1+BF+NJdMQAJrGMKty60OpkMBcT97eMdk1
Zuod+YF3FNaAQzaF6YLkMoB3+7Bh3iPRjUUW9bwAI7wy8EtB2Oj+0ocAgry7JEcQ
ZmMjoatcQuziCWIPTKIpIr1AsgRVff/+Rfu1GlTdGZ2tGScwEn1hbDsSoLSrm+0Z
4KML/NO8bqA4cJLSF9mzos6Uyd1g/4ObOGXFoDmplsOnb50UaYJEhA6JvnkfVJuH
aBpabMjw6V5lxIjxHgBwZReFdoB2/kX6EK0hqXW9Q9QoNmrbMGnFTmqkXLH0t0uY
qaBWgVrWl1mqsfuWgf6PFvEmecNu30Am/tlo0OCCVZA9uNoFZvHY8fR5101S/Co7
2FpB0WBGYyhlT6YxAcmAI4wrM5aMK8TU29EfCz4Q9iEJjtl8zIQM/BF5Xcn7J3n4
O1uVdyf6pXZKzKrhLtJRsjjveV6KmnNqjkuXjAC8k4NCW+dv7Y018B7eoRMK7j//
6HakgHeA/lnRrFBkivUAg3Jm2WGP7HIZ6NhErY+hL0NKm4T8it7WTq/JCPK+869n
YnqmReQhvnKl46DgTzsph4U/vn53qs16o0vMib0LPtjiPR32/vMOw7hb4jZYQuVX
thVl0FmcqoZ7jFrZw4Xkr6tTxpQOH9M14dGTT/DIFPasmWVrMMUgonhhOLJuVOyT
oCXWQiz7k/5avO2FGhhA
=ra/S
-----END PGP SIGNATURE-----


More information about the nsd-users mailing list