[dns-operations] signing a zone with NSEC3 records.
Mark Andrews
marka at isc.org
Thu Sep 10 22:34:01 UTC 2009
In message <82my52dhda.fsf at mid.bfk.de>, Florian Weimer writes:
> * bert hubert:
>
> > Also, NSEC3 significantly increases the size of NXDOMAIN responses
> > (which need 3 NSEC3 records, plus associated signatures).This increase
> > will often push the datagram carrying a response beyond the point
> > where it needs to be fragmented over several packets.
>
> On the other hand, NSEC3 *decreases* the size of QTYPE=3DANY responses
> from resolvers for unsigned delegations. This may be beneficial to
> certain legacy MTAs. (But I guess the days to pay respect to those
> poor MTAs are finally over.)
How do you come to that conclusion? 2 NSEC3 records vs 1 DS RRset
or 1 NSEC record.
Mark
% dig +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.
; <<>> DiG 9.3.6-P1 <<>> +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44509
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;abc.org. IN ANY
;; AUTHORITY SECTION:
abc.org. 86400 IN NS ns4.dnsmadeeasy.com.
abc.org. 86400 IN NS ns2.dnsmadeeasy.com.
abc.org. 86400 IN NS ns0.dnsmadeeasy.com.
abc.org. 86400 IN NS ns3.dnsmadeeasy.com.
abc.org. 86400 IN NS ns1.dnsmadeeasy.com.
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN TYPE50 \# 39 0101000104D399EAAB148A77C7ACEFCBC55446032B2D961CC5EB6821 EF26000722000000000290
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG TYPE50 7 2 86400 20090924222925 20090910212925 23489 org. a6vdvQQtTI4xIPoIXD1lfJik9fbuqw0UUVr0VhsVAHsAG3zDv9CgO6Q9 iNHA13LolfJFDS1ykEXppABJPGrqpB1lUckhfU/onnYYp2c7O4eLaXUx NzAUrP2PBaotaqiIz4f89QEJ0WuWUKlnAbbXLxC3/uNjtci/SyZ4Q6e4 FvU=
5b95ccfsrvpna4m88egu7hlo5dd7etlj.org. 86400 IN TYPE50 \# 38 0101000104D399EAAB142AE8049FE6036BB35EEC8385ED83B3026A42 25E10006400000000002
5b95ccfsrvpna4m88egu7hlo5dd7etlj.org. 86400 IN RRSIG TYPE50 7 2 86400 20090923211743 20090909201743 23489 org. KPzCNZbBukrkxBzCmsJ6h/on/R7kAz7ViJyMdIb2e88oHszueIIUl7Uw ZsJQ0ug0xLRMXkTe8+4SuU5TCEVRjA9Nt5JunjhpV3V9KxQ3xB1ZnNXw qudAePTntgSSIJgPjTBSDBzDAvfeeqdEHCW794h4pMc0yGTrNtN4Im+k oIg=
;; Query time: 188 msec
;; SERVER: 2001:500:c::1#53(2001:500:c::1)
;; WHEN: Fri Sep 11 08:29:55 2009
;; MSG SIZE rcvd: 634
% dig +dnssec any isc.org @B0.ORG.AFILIAS-NST.org.
; <<>> DiG 9.3.6-P1 <<>> +dnssec any isc.org @B0.ORG.AFILIAS-NST.org.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37471
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;isc.org. IN ANY
;; AUTHORITY SECTION:
isc.org. 86400 IN NS ns.isc.afilias-nst.info.
isc.org. 86400 IN NS ams.sns-pb.isc.org.
isc.org. 86400 IN NS ord.sns-pb.isc.org.
isc.org. 86400 IN NS sfba.sns-pb.isc.org.
isc.org. 86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. 86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org. 86400 IN RRSIG DS 7 2 86400 20090923211743 20090909201743 23489 org. I70xvgwVb3Dn/5XibXGvvB1cLFFye3l+begS8rMrHE37NQjqat9x/ITv 2gaBCSAhN0CZeUkzsqtAaofjRRPJ90+3o07uSU34C7DayWS8fa8lskIc bS4xF3AK+rK4ELSNG8ZLvNn2KSJkRKyTHigPPwk0TRM1hddCFnH1+hUa 6yk=
;; ADDITIONAL SECTION:
ams.sns-pb.isc.org. 86400 IN A 199.6.1.30
ord.sns-pb.isc.org. 86400 IN A 199.6.0.30
sfba.sns-pb.isc.org. 86400 IN A 149.20.64.3
;; Query time: 527 msec
;; SERVER: 2001:500:c::1#53(2001:500:c::1)
;; WHEN: Fri Sep 11 08:30:04 2009
;; MSG SIZE rcvd: 430
%
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list