[dns-operations] signing a zone with NSEC3 records.
marka at isc.org
Fri Sep 11 22:35:36 UTC 2009
In message <200909112206.n8BM6pZA008888 at drugs.dv.isc.org>, Mark Andrews writes:
> In message <828wgm7yii.fsf at mid.bfk.de>, Florian Weimer writes:
> > * Mark Andrews:
> > > In message <82my52dhda.fsf at mid.bfk.de>, Florian Weimer writes:
> > >> * bert hubert:
> > >>=20
> > >> > Also, NSEC3 significantly increases the size of NXDOMAIN responses
> > >> > (which need 3 NSEC3 records, plus associated signatures).This increase
> > >> > will often push the datagram carrying a response beyond the point
> > >> > where it needs to be fragmented over several packets.
> > >>=20
> > >> On the other hand, NSEC3 *decreases* the size of QTYPE=3D3DANY responses
> > >> from resolvers for unsigned delegations. This may be beneficial to
> > >> certain legacy MTAs. (But I guess the days to pay respect to those
> > >> poor MTAs are finally over.)
> > >
> > > How do you come to that conclusion?
> > Looking at packets?
> > > % dig +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.
> > The relevant case is DO=3D0. Then the NSEC3 records aren't included
> > because their owner name doesn't match.
> And NSEC records are not include for signed/unsigned delegations
> with a ANY query with DO=0. In all cases you should get a referral.
> Whether the referral has DNSSEC records or not depends on DO. If
> DO is set then the NSEC zones response will be the same or smaller
> than the NSEC3 signed zone will be.
> ; <<>> DiG 9.3.6-P1 <<>> nic.se any @a.ns.se +norec
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7352
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4
> ;; QUESTION SECTION:
> ;nic.se. IN ANY
> ;; AUTHORITY SECTION:
> nic.se. 86400 IN NS ns.nic.se.
> nic.se. 86400 IN NS ns2.nic.se.
> nic.se. 86400 IN NS ns3.nic.se.
> ;; ADDITIONAL SECTION:
> ns.nic.se. 86400 IN A 184.108.40.206
> ns.nic.se. 86400 IN AAAA 2a00:801:f0:53::53
> ns2.nic.se. 86400 IN A 220.127.116.11
> ns3.nic.se. 86400 IN A 18.104.22.168
> ;; Query time: 339 msec
> ;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53)
> ;; WHEN: Sat Sep 12 08:04:29 2009
> ;; MSG SIZE rcvd: 153
> I repeat the question. How do you come to that conclusion?
Perhaps you meant ANY responses to DO=0 queries where there is data,
not delegations. Yes these will be smaller by a NSEC and its RRSIGs.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations