[dns-operations] signing a zone with NSEC3 records.
marka at isc.org
Fri Sep 11 22:06:51 UTC 2009
In message <828wgm7yii.fsf at mid.bfk.de>, Florian Weimer writes:
> * Mark Andrews:
> > In message <82my52dhda.fsf at mid.bfk.de>, Florian Weimer writes:
> >> * bert hubert:
> >> > Also, NSEC3 significantly increases the size of NXDOMAIN responses
> >> > (which need 3 NSEC3 records, plus associated signatures).This increase
> >> > will often push the datagram carrying a response beyond the point
> >> > where it needs to be fragmented over several packets.
> >> On the other hand, NSEC3 *decreases* the size of QTYPE=3D3DANY responses
> >> from resolvers for unsigned delegations. This may be beneficial to
> >> certain legacy MTAs. (But I guess the days to pay respect to those
> >> poor MTAs are finally over.)
> > How do you come to that conclusion?
> Looking at packets?
> > % dig +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.
> The relevant case is DO=3D0. Then the NSEC3 records aren't included
> because their owner name doesn't match.
And NSEC records are not include for signed/unsigned delegations
with a ANY query with DO=0. In all cases you should get a referral.
Whether the referral has DNSSEC records or not depends on DO. If
DO is set then the NSEC zones response will be the same or smaller
than the NSEC3 signed zone will be.
; <<>> DiG 9.3.6-P1 <<>> nic.se any @a.ns.se +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7352
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4
;; QUESTION SECTION:
;nic.se. IN ANY
;; AUTHORITY SECTION:
nic.se. 86400 IN NS ns.nic.se.
nic.se. 86400 IN NS ns2.nic.se.
nic.se. 86400 IN NS ns3.nic.se.
;; ADDITIONAL SECTION:
ns.nic.se. 86400 IN A 126.96.36.199
ns.nic.se. 86400 IN AAAA 2a00:801:f0:53::53
ns2.nic.se. 86400 IN A 188.8.131.52
ns3.nic.se. 86400 IN A 184.108.40.206
;; Query time: 339 msec
;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53)
;; WHEN: Sat Sep 12 08:04:29 2009
;; MSG SIZE rcvd: 153
I repeat the question. How do you come to that conclusion?
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations