[nsd-users] authority section blocking aaaa additionals
cloos at jhcloos.com
Wed Jul 31 18:55:38 CEST 2013
I’m expermienting with nsd for my secondaries.
I notice that an MX lookup for my primary zone includes the AAAA for
only one of the two MXs returned.
The primary NS, running power, includes the AAAA for both MXs.
The difference seems to be that power doesn’t send authority records,
and therefore can fit all nine of the additional records which it sends.
By including the NS set (3 NS and an RRSIG), nsd wants to send 17
additional records (determined via a tcp query), but can only fit
11 in udp.
For the tcp query, dig reports “MSG SIZE rcvd: 2026” and for the udp
query it reports “MSG SIZE rcvd: 1429” which implies that nsd’s 4096
default is not the problem.
Without dnssec, of course, everything fits.
The MX whose AAAA is returned happens also to be an NS for the zone; I
cannot tell whether that is why its AAAA gets included.
Can nsd be configured to skip the authority block? Or would that
require a recompilation? Or to put the additionals from the answer
ahead of the additionals from the authority?
Amusingly, sending the query via udp/ip6 returns NO AAAA records at all,
so a v6-only client would need to do explicit AAAA queries for each mx
after doing the MX query.
Without the authority section, even a v6 reply with the additionals for
the mx answer fits into a single ethernet frame.
James Cloos <cloos at jhcloos.com> OpenPGP: 1024D/ED7DAEA6
More information about the nsd-users