Stephane, how often would be this option used? In most cases the minimal responses are what you want (even if you don't know you want it :)). Let's not bikeshed the (nsd and general) config files, please... Cheers, -- Ond?ej Sur? <ondrej at sury.org> Knot DNS (https://www.knot-dns.cz/) ? a high-performance DNS server V?e pro chleba (https://vseprochleba.cz) ? Pot?eby pro pe?en? chleba v?eho druhu On Wed, May 4, 2016, at 10:57, Stephane Bortzmeyer wrote:> On Wed, May 04, 2016 at 10:32:51AM +0200, > W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote > a message of 108 lines which said: > > > Try using --disable-minimal-responses for ./configure. > > It works, thanks. > > But it is not very convenient if you use a package and do not compile > yourself. Would it be possible to make it a configurable option and > not just a compile-time one? > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
Hello All, I'm looking at minimal responses and i wanted to get some input about how it works. I understand that " The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), 1220 (EDNS/IPv6), or the advertised EDNS buffer size if that is smaller than the EDNS default." What i wanted to ask is how does the name server decided what parts of the additional section is removed? For instance if the query came in over IPv6 would nsd attempt to add AAAA glue before A glue. If the zone is signed will it attempt to only add glue if it can also add the rrsig record? Finally i thought that you would have to include at lease on glue record in the additional section otherwise a resolution is not possible. However nsd will answer with an empty additional section even if all labels in the NS set are in zone. Is this an error or have i missed something? I have set up an example.com zone on one of my server's to demonstrate this. The following query produces no glue records in the additional section. dig ns example.com. @5.28.62.36 +bufsize=1440 +norec increasing the bufsize does add additional glue until you get to 1.5k at which point the hard limit in nsd kicks in. you can also see that no glue is given over dnssec but the bufsize at this point is already over the 1500 limit dig +dnssec ns example.com. @5.28.62.36 +bufsize=1620 +norec can also test this over ipv6 @2001:41c9:1:41c::36 thanks John