Jim Popovitch via bind-users <bind-users@lists.isc.org> wrote: > > Thanks. Now I'm seeing something slighly different. I have 3 NS > servers, ns{1-3}.domainmail.org. > > When I first asked 3 days ago I was seeing long ANY repsonses on the > master (ns1). Today I am seeing long ANY responses on ns3 (but not > ns1). O.o > > for ns in ns1 ns2 ns3; do dig ANY domainmail.org @$ns.domainmail.org|wc -c; > done > 591 > 610 > 13280
OK, this is SUBTLE. minimal-any is a bit stupid: it just hands out the first RRset it gets out of the guts of BIND without any attempt to choose the smallest or otherwise choose an RRset consistently. This means you will get different answers from different servers depending on how the zone has changed recently - especially if there is churn due to DNSSEC re-signing. So it is expected that you will get answers of varying sizes. But why such a huge variation in this case? Well, minimal-any doesn't apply to queries over TCP - you get the full unexpurgated ANY response over TCP. So, if you use `dig +tcp` you will get the huge answer from all your servers. If you use `dig +ignore` (i.e. ignore truncation) you will prevent dig from switching from UDP to TCP, so you should get a more reliable indication that minimal-any is actually working. Now why are you getting a truncated response? If I look at the RRsets at the apex of your zone, most of them are pretty small, but the DNSKEY RRset is huge. (See script below.) So if your server happens to choose the DNSKEY RRset as its response to ANY, that might lead to TC and retry over TCP. Your DNSKEY RRset is huge because you have four keys (two KSKs and two ZSKs) and four RRSIGs (one for each key). You can reduce this a bit by setting dnssec-dnskey-kskonly in named.conf. This tells BIND to only use KSKs to sign the DNSKEY RRset, which would reduce you from 4 signatures to 2. You can also be careful when setting up your key rollovers so that only one key is active at a time, which would reduce you to 1 signature. And you can avoid rolling ZSK and KSK at the same time, so you only have 2 or 3 DNSKEY records. $ dig +dnssec +tcp domainmail.org any @ns1.domainmail.org | awk '!/^;|^$/ { print $4 }' | sort -u | while read t; do echo $t; dig +norec +ignore +dnssec domainmail.org $t @ns1.domainmail.org | grep SIZE; done A ;; MSG SIZE rcvd: 691 AAAA ;; MSG SIZE rcvd: 703 DNSKEY ;; MSG SIZE rcvd: 3407 MX ;; MSG SIZE rcvd: 696 NS ;; MSG SIZE rcvd: 729 NSEC ;; MSG SIZE rcvd: 725 RRSIG ;; MSG SIZE rcvd: 675 SOA ;; MSG SIZE rcvd: 722 SPF ;; MSG SIZE rcvd: 727 TXT ;; MSG SIZE rcvd: 808 Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Northwest Hebrides, Bailey: Cyclonic 5 to 7, becoming southwesterly 7 to severe gale 9. Rough becoming high or very high. Occasional rain. Moderate or poor, occasionally good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users