[dns-operations] R: Change to BIND minimal-responses config option
Costantino Andrea (Con)
andrea.costantino at h3g.it
Mon Apr 24 13:12:22 UTC 2017
minimal-responses yes; is GOOD.
I've been running tens of DNS servers across different companies, functions, zones and roles with minimal-responses yes since years (for some installation like 10 years) and never had an issue.
To be honest, I run into issue without it, since we had a very large ActiveDirectory Domain Zone with a bunch of NS records and braindead firewalls stopped responding, even if instructed not to inspect or to cope with large responses. But it was around 2006, so no big deal then.
I ended up with minimal-responses before, and then I decided to run DNS flows inside company on a different port, just to avoid it happen again (and not to waste CPU cycles on firewall with very old compliance code, absolutely inadequate with the DNS pace of change of recent years).
That said, since that day I deployed hundreds of installations (counting reinstalls, upgrades, new design etc.), and they faced Datacenter hosts queries, recursive DNSes queries, intranet clients, mobile devices (all in the range from hundreds to millions) and it never showed a flaw.
The non minimal-response is chatty zero-value-added waste for 90% of queries. And the 10% percent that makes use of it can explicity and transparently ask for what it really needs. Probably there's also a 1% of buggy resolvers that might be broken by this change, but it will be probably broken also on release change, RFC change, moon phase change, daylight time saving, my daughters' whim and solar flares but only if it crosses Tropic of Cancer.
Hope this will help you find peace of mind on this..
Da: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] Per conto di Mukund Sivaraman
Inviato: venerdì 21 aprile 2017 05:59
A: dns-operations at dns-oarc.net
Oggetto: [dns-operations] Change to BIND minimal-responses config option
So far, the BIND "minimal-responses" config option was set to false in default config. We are changing this to true in 9.12.
Currently the BIND ARM describes it so:
If yes, then when generating responses the server will only add
records to the authority and additional data sections when they are
required (e.g. delegations, negative responses). This may improve
the performance of the server. The default is no.
It'll still be possible to set it to false via config in 9.12.
As described, delegations, glue, and negative responses are unaffected, as it is with BIND <= 9.11 with explicit "minimal-responses yes".
We're seeking feedback on whether the change will impact anyone.
CONFIDENTIAL: This E-mail and any attachment are confidential and may contain reserved information. If you are not one of the named recipients, please notify the sender immediately. Moreover, you should not disclose the contents to any other person, or should the information contained be used for any purpose or stored or copied in any form.
More information about the dns-operations