nsd users - May 2016 - Additional section and minimal responses

> On May 11, 2016, at 9:12 AM, John Bond <nsd at johnbond.org> wrote:
> 
> 
> 
> On 10/05/2016 19:16, Anand Buddhdev wrote:
>> On 10/05/16 19:48, John Bond wrote:
>>> 
>>> I have set up an example.com zone on one of my server's to
demonstrate
>>> this.  The following query produces no glue records in the
additional
>>> section.
>>> 
>>> dig ns example.com. @5.28.62.36 +bufsize=1440 +norec
>> 
>> Right, so here, NSD isn't providing any glue. However... the
recursor
>> already has at least one address that it knows answers for example.com
>> (because the response had AA), and this address is 5.28.62.36. So the
>> recursor should be able to follow up with A and AAAA queries to
>> 5.28.62.36 for all those NS records it got in the answer.
> Ahh yes thanks
>> 
>> However, if the response from 5.28.62.36 had not been an authoritative
>> answer, but rather a delegation, then missing glue would make
resolution
>> fail. NSD should recognise this, and set the TC bit in the response to
>> encourage the client to come back over TCP.
> So i created a delegation and i still receive no glue see the following
> 
> dig  ns sub.example.com. @5.28.62.36 +bufsize=1444 +norec
> dig  ns sub.example.com. @2001:41c9:1:41c::36 +bufsize=1444 +norec
> 
> This server will also allow axfr for the example.com and the nsd config
> is available as here
> https://gist.github.com/b4ldr/ec7e27c96099da0c86c815340c286697
> 
> Thanks John

John,

The NS is 40 records that requires a 1444 byte answer so when I increased the
buffer size to 3K
I got two A records indicating that the server is limiting answers it gives out
over UDP
With tcp I got 
;; Query time: 89 msec
;; SERVER: 5.28.62.36#53(5.28.62.36)
;; WHEN: Wed May 11 15:13:04 EDT 2016
;; MSG SIZE  rcvd: 3204

check your settings for 
ipv4-edns-size: <number>
Preferred EDNS buffer size for IPv4.
ipv6-edns-size: <number>
Preferred EDNS buffer size for IPv6.

Olafur

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20160511/b2823408/attachment.htm>

Hi Olafur,


On 11/05/2016 20:16, Olafur Gudmundsson wrote:
> The NS is 40 records that requires a 1444 byte answer so when I increased
the buffer size to 3K
> I got two A records indicating that the server is limiting answers it gives
out over UDP
> With tcp I got 
> ;; Query time: 89 msec
> ;; SERVER: 5.28.62.36#53(5.28.62.36)
> ;; WHEN: Wed May 11 15:13:04 EDT 2016
> ;; MSG SIZE  rcvd: 3204
> 
> check your settings for 
> ipv4-edns-size: <number>
> Preferred EDNS buffer size for IPv4.
> ipv6-edns-size: <number>
> Preferred EDNS buffer size for IPv6.
Both of these are set to 4k on the server side.  however the dig
commands i use are forcing the edns size to 1444 to highlight this
issue.  For clarity and to remove edns from the equation i have created
a delegation that will never send glue records unless one queries over
TCP.  Furthermore TC=1 will never be sent unless your edns buff size is
< 1480.

`dig  ns sub1.example.com. @5.28.62.36`

This is been controlled by the minimum response size feature introduced
in nsd 3.2.9

'''
Minimize responses to reduce truncation: NSD will only add optional
records to the authority and additional sections when the response size
does not exceed the minimal response size.

The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), 1220
(EDNS/IPv6), or the advertized EDNS buffer size if that is smaller than
the EDNS default.
'''

My expectation is that nsd should always endeavour to send at least one
glue record when answering with a delegation.  Otherwise recursion will
fail at this point and in this case sub1.example.com would never resolve.

Thanks John