minimal-any on master

Jim Popovitch jimpop at domainmail.org
Mon Sep 5 16:39:07 UTC 2016


On Mon, Sep 05, 2016 at 05:12:47PM +0100, Tony Finch wrote:
> Jim Popovitch via bind-users <bind-users at lists.isc.org> wrote:
> >
> > Thanks.  Now I'm seeing something slighly different.  I have 3 NS
> > servers, ns{1-3}.domainmail.org.
> >
> > When I first asked 3 days ago I was seeing long ANY repsonses on the
> > master (ns1).  Today I am seeing long ANY responses on ns3 (but not
> > ns1).  O.o
> >
> > for ns in ns1 ns2 ns3; do dig ANY domainmail.org @$ns.domainmail.org|wc -c; done
> > 591
> > 610
> > 13280
> 
> OK, this is SUBTLE.
> 
> minimal-any is a bit stupid: it just hands out the first RRset it gets
> out of the guts of BIND without any attempt to choose the smallest or
> otherwise choose an RRset consistently. This means you will get different
> answers from different servers depending on how the zone has changed
> recently - especially if there is churn due to DNSSEC re-signing.
> 
> So it is expected that you will get answers of varying sizes. But why such
> a huge variation in this case?
> 
> Well, minimal-any doesn't apply to queries over TCP - you get the full
> unexpurgated ANY response over TCP. So, if you use `dig +tcp` you will get
> the huge answer from all your servers. If you use `dig +ignore` (i.e.
> ignore truncation) you will prevent dig from switching from UDP to TCP, so
> you should get a more reliable indication that minimal-any is actually
> working.
> 
> Now why are you getting a truncated response?
> 
> If I look at the RRsets at the apex of your zone, most of them are pretty
> small, but the DNSKEY RRset is huge. (See script below.) So if your server
> happens to choose the DNSKEY RRset as its response to ANY, that might lead
> to TC and retry over TCP.


Thank you for detailing that Tony, I now have a better understanding.

> 
> Your DNSKEY RRset is huge because you have four keys (two KSKs and two
> ZSKs) and four RRSIGs (one for each key).


I call that "full mesh"!  :-)
 
> You can reduce this a bit by setting dnssec-dnskey-kskonly in named.conf.
> This tells BIND to only use KSKs to sign the DNSKEY RRset, which would
> reduce you from 4 signatures to 2.


Done.  Thank you for suggesting that.

> You can also be careful when setting up your key rollovers so that only
> one key is active at a time, which would reduce you to 1 signature.
 

Hmmm, this is counter to what I've believed all along.  I thought it was prudent to have key overlap during rollovers. Or are saying only do ZSK rollovers well after the KSK rollover has settled?


> And you can avoid rolling ZSK and KSK at the same time, so you only have 2
> or 3 DNSKEY records.
> 

Yes, the current situation is due to unfortunate timing.

-Jim P.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160905/91ba38d5/attachment.bin>


More information about the bind-users mailing list