[nsd-users] authority section blocking aaaa additionals
wouter at nlnetlabs.nl
Thu Aug 1 08:56:31 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 07/31/2013 06:55 PM, James Cloos wrote:
> I’m expermienting with nsd for my secondaries.
> I notice that an MX lookup for my primary zone includes the AAAA
> for only one of the two MXs returned.
> The primary NS, running power, includes the AAAA for both MXs.
> The difference seems to be that power doesn’t send authority
> records, and therefore can fit all nine of the additional records
> which it sends.
> By including the NS set (3 NS and an RRSIG), nsd wants to send 17
> additional records (determined via a tcp query), but can only fit
> 11 in udp.
> For the tcp query, dig reports “MSG SIZE rcvd: 2026” and for the
> udp query it reports “MSG SIZE rcvd: 1429” which implies that
> nsd’s 4096 default is not the problem.
This is because NSD uses a UDP size limit of 1480 (IPv4) and 1220
(IPv6). And this is how it truncates the messages. This is why on
IPv6 you get less data. And the additional AAAA records do not fit
within this limit.
If you do not want this, use ./configure --disable-minimal-responses
and then it'll use 4096 like you thought you wanted.
> Without dnssec, of course, everything fits.
It is the size.
> The MX whose AAAA is returned happens also to be an NS for the
> zone; I cannot tell whether that is why its AAAA gets included.
> Can nsd be configured to skip the authority block? Or would that
> require a recompilation? Or to put the additionals from the
> answer ahead of the additionals from the authority?
> Amusingly, sending the query via udp/ip6 returns NO AAAA records at
> all, so a v6-only client would need to do explicit AAAA queries for
> each mx after doing the MX query.
> Without the authority section, even a v6 reply with the additionals
> for the mx answer fits into a single ethernet frame.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the nsd-users