[dns-operations] signing a zone with NSEC3 records.

Mark Andrews marka at isc.org
Fri Sep 11 22:35:36 UTC 2009 

In message <200909112206.n8BM6pZA008888 at drugs.dv.isc.org>, Mark Andrews writes:
> 
> In message <828wgm7yii.fsf at mid.bfk.de>, Florian Weimer writes:
> > * Mark Andrews:
> > 
> > > In message <82my52dhda.fsf at mid.bfk.de>, Florian Weimer writes:
> > >> * bert hubert:
> > >>=20
> > >> > Also, NSEC3 significantly increases the size of NXDOMAIN responses
> > >> > (which need 3 NSEC3 records, plus associated signatures).This increase
> > >> > will often push the datagram carrying a response beyond the point
> > >> > where it needs to be fragmented over several packets.
> > >>=20
> > >> On the other hand, NSEC3 *decreases* the size of QTYPE=3D3DANY responses
> > >> from resolvers for unsigned delegations.  This may be beneficial to
> > >> certain legacy MTAs.  (But I guess the days to pay respect to those
> > >> poor MTAs are finally over.)
> > >
> > > How do you come to that conclusion?
> > 
> > Looking at packets?
> > 
> > > % dig +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.
> > 
> > The relevant case is DO=3D0.  Then the NSEC3 records aren't included
> > because their owner name doesn't match.
> 
> And NSEC records are not include for signed/unsigned delegations
> with a ANY query with DO=0.  In all cases you should get a referral.
> Whether the referral has DNSSEC records or not depends on DO.  If
> DO is set then the NSEC zones response will be the same or smaller
> than the NSEC3 signed zone will be.
> 
> ; <<>> DiG 9.3.6-P1 <<>> nic.se any @a.ns.se +norec
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7352
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;nic.se.				IN	ANY
> 
> ;; AUTHORITY SECTION:
> nic.se.			86400	IN	NS	ns.nic.se.
> nic.se.			86400	IN	NS	ns2.nic.se.
> nic.se.			86400	IN	NS	ns3.nic.se.
> 
> ;; ADDITIONAL SECTION:
> ns.nic.se.		86400	IN	A	212.247.7.228
> ns.nic.se.		86400	IN	AAAA	2a00:801:f0:53::53
> ns2.nic.se.		86400	IN	A	194.17.45.54
> ns3.nic.se.		86400	IN	A	212.247.3.83
> 
> ;; Query time: 339 msec
> ;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53)
> ;; WHEN: Sat Sep 12 08:04:29 2009
> ;; MSG SIZE  rcvd: 153
> 
> I repeat the question.  How do you come to that conclusion?

Perhaps you meant ANY responses to DO=0 queries where there is data,
not delegations.  Yes these will be smaller by a NSEC and its RRSIGs.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list