[dns-operations] signing a zone with NSEC3 records.
mpounsett at ca.afilias.info
Thu Sep 10 15:32:37 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
On 10-Sep-2009, at 09:17, David Blacka wrote:
> On Sep 10, 2009, at 5:01 AM, bert hubert wrote:
>> Also, NSEC3 significantly increases the size of NXDOMAIN responses
>> (which need 3 NSEC3 records, plus associated signatures).This
>> will often push the datagram carrying a response beyond the point
>> where it needs to be fragmented over several packets.
> That isn't what I've seen. Well, the NXDOMAIN *are* bigger, sure,
> but not so big as to fragment. For the zones the I'm working on,
> the NXDOMAIN is about 1000 bytes, well below most path MTUs.
> So either you are using much larger ZSKs, are thinking that the path
> MTUs are much smaller than I do, or are exaggerating for effect.
You're right, the increase in the size of NXDOMAIN responses isn't
always enough to cause fragmentation, but that size increase has other
negative effects as well. When ORG was signed, we saw an order of
magnitude jump in TCP traffic (from ~0.1% to ~1.0%) within hours.
This was with no DS in the zone, so the only additional data in
responses that could explain the shift in traffic was the NSEC3 RRs
(the increase in the size of NXDOMAIN responses).
The best info we've got so far blames this on a combination of
fragmentation and bad EDNS0 implementations/configurations. A few
months down the road, we're currently seeing TCP traffic as about 2%
of total. We need to do some number crunching to explain the
increase. It may be a steady increase over time, or it may be due to
a change we made to increase the negative TTL on the zone (a drop in
UDP traffic with no corresponding trop in TCP traffic).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)
-----END PGP SIGNATURE-----
More information about the dns-operations