[dns-operations] signing a zone with NSEC3 records.

Mark Andrews marka at isc.org
Fri Sep 11 22:06:51 UTC 2009 

In message <828wgm7yii.fsf at mid.bfk.de>, Florian Weimer writes:
> * Mark Andrews:
> 
> > In message <82my52dhda.fsf at mid.bfk.de>, Florian Weimer writes:
> >> * bert hubert:
> >>=20
> >> > Also, NSEC3 significantly increases the size of NXDOMAIN responses
> >> > (which need 3 NSEC3 records, plus associated signatures).This increase
> >> > will often push the datagram carrying a response beyond the point
> >> > where it needs to be fragmented over several packets.
> >>=20
> >> On the other hand, NSEC3 *decreases* the size of QTYPE=3D3DANY responses
> >> from resolvers for unsigned delegations.  This may be beneficial to
> >> certain legacy MTAs.  (But I guess the days to pay respect to those
> >> poor MTAs are finally over.)
> >
> > How do you come to that conclusion?
> 
> Looking at packets?
> 
> > % dig +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.
> 
> The relevant case is DO=3D0.  Then the NSEC3 records aren't included
> because their owner name doesn't match.

And NSEC records are not include for signed/unsigned delegations
with a ANY query with DO=0.  In all cases you should get a referral.
Whether the referral has DNSSEC records or not depends on DO.  If
DO is set then the NSEC zones response will be the same or smaller
than the NSEC3 signed zone will be.

; <<>> DiG 9.3.6-P1 <<>> nic.se any @a.ns.se +norec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7352
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;nic.se.				IN	ANY

;; AUTHORITY SECTION:
nic.se.			86400	IN	NS	ns.nic.se.
nic.se.			86400	IN	NS	ns2.nic.se.
nic.se.			86400	IN	NS	ns3.nic.se.

;; ADDITIONAL SECTION:
ns.nic.se.		86400	IN	A	212.247.7.228
ns.nic.se.		86400	IN	AAAA	2a00:801:f0:53::53
ns2.nic.se.		86400	IN	A	194.17.45.54
ns3.nic.se.		86400	IN	A	212.247.3.83

;; Query time: 339 msec
;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53)
;; WHEN: Sat Sep 12 08:04:29 2009
;; MSG SIZE  rcvd: 153

I repeat the question.  How do you come to that conclusion?

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list