I notice that an MX lookup for my primary zone includes the AAAA for
only one of the two MXs returned.
The primary NS, running power, includes the AAAA for both MXs.
The difference seems to be that power doesn’t send authority records,
and therefore can fit all nine of the additional records which it sends.
By including the NS set (3 NS and an RRSIG), nsd wants to send 17
additional records (determined via a tcp query), but can only fit
11 in udp.
For the tcp query, dig reports “MSG SIZE rcvd: 2026” and for the udp
query it reports “MSG SIZE rcvd: 1429” which implies that nsd’s 4096
default is not the problem.
Without dnssec, of course, everything fits.
The MX whose AAAA is returned happens also to be an NS for the zone; I
cannot tell whether that is why its AAAA gets included.
Can nsd be configured to skip the authority block? Or would that
require a recompilation? Or to put the additionals from the answer
ahead of the additionals from the authority?
Amusingly, sending the query via udp/ip6 returns NO AAAA records at all,
so a v6-only client would need to do explicit AAAA queries for each mx
after doing the MX query.
Without the authority section, even a v6 reply with the additionals for
the mx answer fits into a single ethernet frame.
I notice that an MX lookup for my primary zone includes the AAAA
for only one of the two MXs returned.
The primary NS, running power, includes the AAAA for both MXs.
The difference seems to be that power doesn’t send authority
records, and therefore can fit all nine of the additional records
which it sends.
By including the NS set (3 NS and an RRSIG), nsd wants to send 17
additional records (determined via a tcp query), but can only fit
11 in udp.
For the tcp query, dig reports “MSG SIZE rcvd: 2026” and for the
udp query it reports “MSG SIZE rcvd: 1429” which implies that
nsd’s 4096 default is not the problem.
This is because NSD uses a UDP size limit of 1480 (IPv4) and 1220
(IPv6). And this is how it truncates the messages. This is why on
IPv6 you get less data. And the additional AAAA records do not fit
within this limit.
If you do not want this, use ./configure --disable-minimal-responses
and then it'll use 4096 like you thought you wanted.
This is because NSD uses a UDP size limit of 1480 (IPv4) and 1220
(IPv6). And this is how it truncates the messages. This is why on
IPv6 you get less data. And the additional AAAA records do not fit
within this limit.
If you do not want this, use ./configure --disable-minimal-responses
and then it'll use 4096 like you thought you wanted.
Without dnssec, of course, everything fits.
It is the size.
Yes, That was my point.
I'd still prefer to eliminate the AUTH data; the resolvers already have
a verified set of NS RRs from the parent zone; the ADDITIONAL data is
much more valuable to them, as it avoids additional() round trips.
Aside from this, it is great. And uses *much* less VM than power.
(75+70+70 Mo allocated instead of 122 Mo + 1.2 Go!) Much smoother
on a ram-challenged vps.
) round trips.