Hi Olafur, On 11/05/2016 20:16, Olafur Gudmundsson wrote:> The NS is 40 records that requires a 1444 byte answer so when I increased the buffer size to 3K > I got two A records indicating that the server is limiting answers it gives out over UDP > With tcp I got > ;; Query time: 89 msec > ;; SERVER: 5.28.62.36#53(5.28.62.36) > ;; WHEN: Wed May 11 15:13:04 EDT 2016 > ;; MSG SIZE rcvd: 3204 > > check your settings for > ipv4-edns-size: <number> > Preferred EDNS buffer size for IPv4. > ipv6-edns-size: <number> > Preferred EDNS buffer size for IPv6.Both of these are set to 4k on the server side. however the dig commands i use are forcing the edns size to 1444 to highlight this issue. For clarity and to remove edns from the equation i have created a delegation that will never send glue records unless one queries over TCP. Furthermore TC=1 will never be sent unless your edns buff size is < 1480. `dig ns sub1.example.com. @5.28.62.36` This is been controlled by the minimum response size feature introduced in nsd 3.2.9 ''' Minimize responses to reduce truncation: NSD will only add optional records to the authority and additional sections when the response size does not exceed the minimal response size. The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), 1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is smaller than the EDNS default. ''' My expectation is that nsd should always endeavour to send at least one glue record when answering with a delegation. Otherwise recursion will fail at this point and in this case sub1.example.com would never resolve. Thanks John
W.C.A. Wijngaards
2016-May-12 12:53 UTC
[nsd-users] Additional section and minimal responses
Hi, On 12/05/16 14:27, John Bond wrote:> Hi Olafur, > > > On 11/05/2016 20:16, Olafur Gudmundsson wrote: > >> The NS is 40 records that requires a 1444 byte answer so when I increased the buffer size to 3K >> I got two A records indicating that the server is limiting answers it gives out over UDP > > My expectation is that nsd should always endeavour to send at least one > glue record when answering with a delegation. Otherwise recursion will > fail at this point and in this case sub1.example.com would never resolve.I have implemented the following fixes (in the code repository, works with the example.com zone that John set up): NSD includes AAAA before A when the query is over IPv6 for glue. NSD sets TC if it cannot provide at least one glue (only for delegations that have glue; only glue of the matching address family counts). I hope this resolves this issue. Best regards, Wouter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20160512/263f24b6/attachment.bin>