Hello.
I configured "max-udp-payload 1464" and noticed that Knot 1.4 sets tc if
it can't fit RRSIGs for records in the additional section while 1.3.4
didn't.
I was wondering what the reasoning is behind this behaviour. Shouldn't
validating resolvers ignore unsigned record sets in the additional
section anyway?
In my tests, Knot 1.4 almost always sets tc unless it can fit all
DNSKEYs, nameserver addresses and their signatures in the additional
section. That seems a bit excessive. There are only a few narrow buffer
sizes ranges that don't result in a truncated response, depending on the
reply content:
$ l=""; i=1800; j=$i; while [
"$i" -lt "4097" ]; do n="`dig +bufsize=$i +ignore +norec +dnssec
openchaos.org soa @nsig17.openchaos.org |grep ";; flags:"`"; [
"$l" != "$n" ] && { echo "$j - $(($i-1)): $l"; l=$n;
j=$i; }; i=$(($i+1)); done; echo "$j - $(($i-1)): $n"
1883 - 1898: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 4
2102 - 2129: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 6
2333 - 2348: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 8
2552 - 2567: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 10
2771 - 2798: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 12
3002 - 3017: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14
3221 - 3236: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 16
3440 - 3455: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 18
3659 - 3686: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 20
3890 - 4096: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 22
FWIW, the attached patch works for me. It should remove the last
additional record if its RRSIG doesn't fit.
Hauke
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz