On Mon, Sep 05, 2016 at 05:12:47PM +0100, Tony Finch wrote: > Jim Popovitch via bind-users <bind-users@lists.isc.org> wrote: > > > > Thanks. Now I'm seeing something slighly different. I have 3 NS > > servers, ns{1-3}.domainmail.org. > > > > When I first asked 3 days ago I was seeing long ANY repsonses on the > > master (ns1). Today I am seeing long ANY responses on ns3 (but not > > ns1). O.o > > > > for ns in ns1 ns2 ns3; do dig ANY domainmail.org @$ns.domainmail.org|wc -c; > > done > > 591 > > 610 > > 13280 > > OK, this is SUBTLE. > > minimal-any is a bit stupid: it just hands out the first RRset it gets > out of the guts of BIND without any attempt to choose the smallest or > otherwise choose an RRset consistently. This means you will get different > answers from different servers depending on how the zone has changed > recently - especially if there is churn due to DNSSEC re-signing. > > So it is expected that you will get answers of varying sizes. But why such > a huge variation in this case? > > Well, minimal-any doesn't apply to queries over TCP - you get the full > unexpurgated ANY response over TCP. So, if you use `dig +tcp` you will get > the huge answer from all your servers. If you use `dig +ignore` (i.e. > ignore truncation) you will prevent dig from switching from UDP to TCP, so > you should get a more reliable indication that minimal-any is actually > working. > > Now why are you getting a truncated response? > > If I look at the RRsets at the apex of your zone, most of them are pretty > small, but the DNSKEY RRset is huge. (See script below.) So if your server > happens to choose the DNSKEY RRset as its response to ANY, that might lead > to TC and retry over TCP.
Thank you for detailing that Tony, I now have a better understanding. > > Your DNSKEY RRset is huge because you have four keys (two KSKs and two > ZSKs) and four RRSIGs (one for each key). I call that "full mesh"! :-) > You can reduce this a bit by setting dnssec-dnskey-kskonly in named.conf. > This tells BIND to only use KSKs to sign the DNSKEY RRset, which would > reduce you from 4 signatures to 2. Done. Thank you for suggesting that. > You can also be careful when setting up your key rollovers so that only > one key is active at a time, which would reduce you to 1 signature. Hmmm, this is counter to what I've believed all along. I thought it was prudent to have key overlap during rollovers. Or are saying only do ZSK rollovers well after the KSK rollover has settled? > And you can avoid rolling ZSK and KSK at the same time, so you only have 2 > or 3 DNSKEY records. > Yes, the current situation is due to unfortunate timing. -Jim P.
signature.asc
Description: Digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users