[dns-operations] signing a zone with NSEC3 records.

Matthew Pounsett mpounsett at ca.afilias.info
Thu Sep 10 15:32:37 UTC 2009

Hash: SHA1

On 10-Sep-2009, at 09:17, David Blacka wrote:

> On Sep 10, 2009, at 5:01 AM, bert hubert wrote:
>> Also, NSEC3 significantly increases the size of NXDOMAIN responses
>> (which need 3 NSEC3 records, plus associated signatures).This  
>> increase
>> will often push the datagram carrying a response beyond the point
>> where it needs to be fragmented over several packets.
> That isn't what I've seen.  Well, the NXDOMAIN *are* bigger, sure,  
> but not so big as to fragment.  For the zones the I'm working on,  
> the NXDOMAIN is about 1000 bytes, well below most path MTUs.
> So either you are using much larger ZSKs, are thinking that the path  
> MTUs are much smaller than I do, or are exaggerating for effect.

You're right, the increase in the size of NXDOMAIN responses isn't  
always enough to cause fragmentation, but that size increase has other  
negative effects as well.   When ORG was signed, we saw an order of  
magnitude jump in TCP traffic (from ~0.1% to ~1.0%) within hours.   
This was with no DS in the zone, so the only additional data in  
responses that could explain the shift in traffic was the NSEC3 RRs  
(the increase in the size of NXDOMAIN responses).

The best info we've got so far blames this on a combination of  
fragmentation and bad EDNS0 implementations/configurations.  A few  
months down the road, we're currently seeing TCP traffic as about 2%  
of total.  We need to do some number crunching to explain the  
increase.  It may be a steady increase over time, or it may be due to  
a change we made to increase the negative TTL on the zone (a drop in  
UDP traffic with no corresponding trop in TCP traffic).

Version: GnuPG/MacGPG2 v2.0.11 (Darwin)


More information about the dns-operations mailing list