I manage a DNS Yeti <http://yeti-dns.org/> root name server and, for
experimental purposes, we now have 23 root name servers. But NSD does
not send the glue for all of them:
% dig @dahu1.yeti.eu.org NS .
; <<>> DiG 9.9.5-12.1-Debian <<>> @dahu1.yeti.eu.org NS .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 368
;; flags: qr aa rd; QUERY: 1, ANSWER: 24, AUTHORITY: 0, ADDITIONAL: 12
;; WARNING: recursion requested but not available
I manage a DNS Yeti <http://yeti-dns.org/> root name server and,
for experimental purposes, we now have 23 root name servers. But
NSD does not send the glue for all of them:
% dig @dahu1.yeti.eu.org NS .
; <<>> DiG 9.9.5-12.1-Debian <<>> @dahu1.yeti.eu.org NS . ; (1
server found) ;; global options: +cmd ;; Got answer: ;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 368 ;; flags: qr
aa rd; QUERY: 1, ANSWER: 24, AUTHORITY: 0, ADDITIONAL: 12 ;;
WARNING: recursion requested but not available
Try using --disable-minimal-responses for ./configure.
It works, thanks.
But it is not very convenient if you use a package and do not compile
yourself. Would it be possible to make it a configurable option and
not just a compile-time one?
I'm looking at minimal responses and i wanted to get some input about
how it works. I understand that
" The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4),
1220 (EDNS/IPv6), or the advertised EDNS buffer size if that is
smaller than the EDNS default."
What i wanted to ask is how does the name server decided what parts of
the additional section is removed? For instance if the query came in
over IPv6 would nsd attempt to add AAAA glue before A glue. If the zone
is signed will it attempt to only add glue if it can also add the rrsig
record?
Finally i thought that you would have to include at lease on glue record
in the additional section otherwise a resolution is not possible.
However nsd will answer with an empty additional section even if all
labels in the NS set are in zone. Is this an error or have i missed
something?
I have set up an example.com zone on one of my server's to demonstrate
this. The following query produces no glue records in the additional
section.
increasing the bufsize does add additional glue until you get to 1.5k
at which point the hard limit in nsd kicks in. you can also see that no
glue is given over dnssec but the bufsize at this point is already over
the 1500 limit
What i wanted to ask is how does the name server decided what parts of
the additional section is removed? For instance if the query came in
over IPv6 would nsd attempt to add AAAA glue before A glue. If the zone
is signed will it attempt to only add glue if it can also add the rrsig
record?
I can't answer this as I don't know the code, but the NSD developers
should be able to.
However, the idea of preferring glue based on the query's address family
has been added to BIND recently. Look at the 9.10.4 release notes.
However, I don't think NSD pays attention to the query's address family
when deciding which glue to add.
Finally i thought that you would have to include at lease on glue record
in the additional section otherwise a resolution is not possible.
However nsd will answer with an empty additional section even if all
labels in the NS set are in zone. Is this an error or have i missed
something?
I have set up an example.com zone on one of my server's to demonstrate
this. The following query produces no glue records in the additional
section.
Right, so here, NSD isn't providing any glue. However... the recursor
already has at least one address that it knows answers for example.com
(because the response had AA), and this address is 5.28.62.36. So the
recursor should be able to follow up with A and AAAA queries to
5.28.62.36 for all those NS records it got in the answer.
However, if the response from 5.28.62.36 had not been an authoritative
answer, but rather a delegation, then missing glue would make resolution
fail. NSD should recognise this, and set the TC bit in the response to
encourage the client to come back over TCP.
Right, so here, NSD isn't providing any glue. However... the recursor
already has at least one address that it knows answers for example.com
(because the response had AA), and this address is 5.28.62.36. So the
recursor should be able to follow up with A and AAAA queries to
5.28.62.36 for all those NS records it got in the answer.
Ahh yes thanks
However, if the response from 5.28.62.36 had not been an authoritative
answer, but rather a delegation, then missing glue would make resolution
fail. NSD should recognise this, and set the TC bit in the response to
encourage the client to come back over TCP.
So i created a delegation and i still receive no glue see the following
The NS is 40 records that requires a 1444 byte answer so when I increased the buffer size to 3K
I got two A records indicating that the server is limiting answers it gives out over UDP
With tcp I got
The NS is 40 records that requires a 1444 byte answer so when I increased the buffer size to 3K
I got two A records indicating that the server is limiting answers it gives out over UDP
With tcp I got
;; Query time: 89 msec
;; SERVER: 5.28.62.36#53(5.28.62.36)
;; WHEN: Wed May 11 15:13:04 EDT 2016
;; MSG SIZE rcvd: 3204
check your settings for
ipv4-edns-size: <number>
Preferred EDNS buffer size for IPv4.
ipv6-edns-size: <number>
Preferred EDNS buffer size for IPv6.
Both of these are set to 4k on the server side. however the dig
commands i use are forcing the edns size to 1444 to highlight this
issue. For clarity and to remove edns from the equation i have created
a delegation that will never send glue records unless one queries over
TCP. Furthermore TC=1 will never be sent unless your edns buff size is
< 1480.
`dig ns sub1.example.com. @5.28.62.36`
This is been controlled by the minimum response size feature introduced
in nsd 3.2.9
'''
Minimize responses to reduce truncation: NSD will only add optional
records to the authority and additional sections when the response size
does not exceed the minimal response size.
The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), 1220
(EDNS/IPv6), or the advertized EDNS buffer size if that is smaller than
the EDNS default.
'''
My expectation is that nsd should always endeavour to send at least one
glue record when answering with a delegation. Otherwise recursion will
fail at this point and in this case sub1.example.com would never resolve.
The NS is 40 records that requires a 1444 byte answer so when I increased the buffer size to 3K
I got two A records indicating that the server is limiting answers it gives out over UDP
My expectation is that nsd should always endeavour to send at least one
glue record when answering with a delegation. Otherwise recursion will
fail at this point and in this case sub1.example.com would never resolve.
I have implemented the following fixes (in the code repository, works
with the example.com zone that John set up): NSD includes AAAA before A
when the query is over IPv6 for glue. NSD sets TC if it cannot provide
at least one glue (only for delegations that have glue; only glue of the
matching address family counts).
Increasing the buf size beyond this has no further effect and you will
only ever revive two glue records.
This is not such an issue until we consider the sub1.example.com. With
this zone the answer section with one glue record is above the 1500 byte
minimial-responses limit for IPv4. This means that no matter what value
one advertises in EDNS they will always be given an answer with TC=1. This
Im not suggesting this behavior is incorrect and can see the benefits in
avoiding fragmentation. However with this discussion and the comments
from Stephane last week. i wonder if it is worth considering having a
config item for minimal response size. something like
ipv4-minimal-response: <number or edns>
NSD will only add optional records to the authority and additional
sections when the response size does not exceed this value in bytes or
the advertised EDNS size if set to 'edns'. The default is 1480
ipv6-minimal-response: <number or edns>
NSD will only add optional records to the authority and additional
sections when the response size does not exceed this value in bytes or
the advertised EDNS size if set to 'edns'. The default is 1220