nsd users - Jul 2013 - authority section blocking aaaa additionals

I?m expermienting with nsd for my secondaries.

I notice that an MX lookup for my primary zone includes the AAAA for
only one of the two MXs returned.

The primary NS, running power, includes the AAAA for both MXs.

The difference seems to be that power doesn?t send authority records,
and therefore can fit all nine of the additional records which it sends.

By including the NS set (3 NS and an RRSIG), nsd wants to send 17
additional records (determined via a tcp query), but can only fit
11 in udp.

For the tcp query, dig reports ?MSG SIZE  rcvd: 2026? and for the udp
query it reports ?MSG SIZE  rcvd: 1429? which implies that nsd?s 4096
default is not the problem.

Without dnssec, of course, everything fits.

The MX whose AAAA is returned happens also to be an NS for the zone; I
cannot tell whether that is why its AAAA gets included.

Can nsd be configured to skip the authority block?  Or would that
require a recompilation?  Or to put the additionals from the answer
ahead of the additionals from the authority?

Amusingly, sending the query via udp/ip6 returns NO AAAA records at all,
so a v6-only client would need to do explicit AAAA queries for each mx
after doing the MX query.

Without the authority section, even a v6 reply with the additionals for
the mx answer fits into a single ethernet frame.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi James,

On 07/31/2013 06:55 PM, James Cloos wrote:
> I?m expermienting with nsd for my secondaries.
> 
> I notice that an MX lookup for my primary zone includes the AAAA
> for only one of the two MXs returned.
> 
> The primary NS, running power, includes the AAAA for both MXs.
> 
> The difference seems to be that power doesn?t send authority
> records, and therefore can fit all nine of the additional records
> which it sends.
> 
> By including the NS set (3 NS and an RRSIG), nsd wants to send 17 
> additional records (determined via a tcp query), but can only fit 
> 11 in udp.
> 
> For the tcp query, dig reports ?MSG SIZE  rcvd: 2026? and for the
> udp query it reports ?MSG SIZE  rcvd: 1429? which implies that
> nsd?s 4096 default is not the problem.
This is because NSD uses a UDP size limit of 1480 (IPv4) and 1220
(IPv6).  And this is how it truncates the messages.  This is why on
IPv6 you get less data.  And the additional AAAA records do not fit
within this limit.

If you do not want this, use ./configure --disable-minimal-responses
and then it'll use 4096 like you thought you wanted.
> Without dnssec, of course, everything fits.
It is the size.

Best regards,
   Wouter
> The MX whose AAAA is returned happens also to be an NS for the
> zone; I cannot tell whether that is why its AAAA gets included.
> 
> Can nsd be configured to skip the authority block?  Or would that 
> require a recompilation?  Or to put the additionals from the
> answer ahead of the additionals from the authority?
> 
> Amusingly, sending the query via udp/ip6 returns NO AAAA records at
> all, so a v6-only client would need to do explicit AAAA queries for
> each mx after doing the MX query.
> 
> Without the authority section, even a v6 reply with the additionals
> for the mx answer fits into a single ethernet frame.
> 
> -JimC
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR+gafAAoJEJ9vHC1+BF+NJdMQAJrGMKty60OpkMBcT97eMdk1
Zuod+YF3FNaAQzaF6YLkMoB3+7Bh3iPRjUUW9bwAI7wy8EtB2Oj+0ocAgry7JEcQ
ZmMjoatcQuziCWIPTKIpIr1AsgRVff/+Rfu1GlTdGZ2tGScwEn1hbDsSoLSrm+0Z
4KML/NO8bqA4cJLSF9mzos6Uyd1g/4ObOGXFoDmplsOnb50UaYJEhA6JvnkfVJuH
aBpabMjw6V5lxIjxHgBwZReFdoB2/kX6EK0hqXW9Q9QoNmrbMGnFTmqkXLH0t0uY
qaBWgVrWl1mqsfuWgf6PFvEmecNu30Am/tlo0OCCVZA9uNoFZvHY8fR5101S/Co7
2FpB0WBGYyhlT6YxAcmAI4wrM5aMK8TU29EfCz4Q9iEJjtl8zIQM/BF5Xcn7J3n4
O1uVdyf6pXZKzKrhLtJRsjjveV6KmnNqjkuXjAC8k4NCW+dv7Y018B7eoRMK7j//
6HakgHeA/lnRrFBkivUAg3Jm2WGP7HIZ6NhErY+hL0NKm4T8it7WTq/JCPK+869n
YnqmReQhvnKl46DgTzsph4U/vn53qs16o0vMib0LPtjiPR32/vMOw7hb4jZYQuVX
thVl0FmcqoZ7jFrZw4Xkr6tTxpQOH9M14dGTT/DIFPasmWVrMMUgonhhOLJuVOyT
oCXWQiz7k/5avO2FGhhA
=ra/S
-----END PGP SIGNATURE-----

Hi,

On Wed, Jul 31, 2013 at 12:55:38PM -0400, James Cloos
wrote:
> Can nsd be configured to skip the authority block?
> Or to put the additionals from the answer ahead
> of the additionals from the authority?
RFC 1035 section 6.2 specifies:

    When a response is so long that truncation is required, the truncation
    should start at the end of the response and work forward in the
    datagram.  Thus if there is any data for the authority section, the
    answer section is guaranteed to be unique.

And as per section 4.1 the sections are ordered thus:

    +---------------------+
    |        Header       |
    +---------------------+
    |       Question      | the question for the name server
    +---------------------+
    |        Answer       | RRs answering the question
    +---------------------+
    |      Authority      | RRs pointing toward an authority
    +---------------------+
    |      Additional     | RRs holding additional information
    +---------------------+

So the answer to your first question is a nameserver "should not" do
that
and the answer to the second question is no.

Best regards,

Lukas