[dns-operations] ANY efforts at taking additional responses more compact?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Sep 7 02:53:22 UTC 2016 

> On Sep 6, 2016, at 9:43 PM, Paul Vixie <paul at redbarn.org> wrote:
> 
> amplification is a nice-to-have. and, this would not make amplification more difficult to reach; negative DNSSEC responses have some pretty large proofs associated with them.

Speaking of large responses, I just advised a DANE user to not publish
all 8 possible "TLSA [23] [01] [12]" records for a single service, when just
"3 1 1" and "2 1 1" are quite enough, on the basis that one should avoid
needlessly inflating DNS responses.

I then queried his authoritative servers, and discovered that by far
the biggest contribution to the response size was from signatures of
additional records carrying the A/AAAA records of multiple nameservers.
The resulting response was 3933 bytes!

The 6 extraneous TLSA records (2 with 35 bytes of rrdata, and 4 with 67)
make up only 410 bytes of the total ~4k payload.

It occurs to me that for domains with a bunch of in-bailiwick nameservers,
it might make sense to advertise just a single logical nameserver name
which carries all the associated A/AAAA records, thereby substantially
reducing the number of RRSIGs in the additional section:

That is, instead of:

   ns1.example.org. A       ...
   ns1.example.org. AAAA    ...
   ns2.example.org. A       ...
   ns2.example.org. AAAA    ...
   ns3.example.org. A       ...
   ns3.example.org. AAAA    ...
   ns4.example.org. A       ...
   ns4.example.org. AAAA    ...

Might it not now be best practice to deploy:

   ns.example.org.  A       ...
   ns.example.org.  A       ...
   ns.example.org.  A       ...
   ns.example.org.  A       ...
   ns.example.org.  AAAA    ...
   ns.example.org.  AAAA    ...
   ns.example.org.  AAAA    ...
   ns.example.org.  AAAA    ...

which reduces the number of RRSIG records from 8 to 2?

I must admit that in the particular case that got me thinking
along these lines, 6 of the 8 additional records were out of
bailiwick, and are likely ignored by most clients, so it would
certainly have been better to return only the 2 in-bailiwick
records.  Or does the fact that the out of bailiwick additionals
carried signatures make them less likely to be discarded?

Is anyone making any effort to employ multi-homed nameservers
instead of multiple nameservers with individual addresses?

-- 
	Viktor.

More information about the dns-operations mailing list