25 Led
2014
25 Led
'14
19:30
Hello,
very good timing! There honestly isn't a really good reasoning behind
this, just that it slipped through our tests.
I've put up a patch based on yours and made sure this particular
regression is caught by our test suite,
so it's going to go (along with the tinydns compatibility) to the
1.4.2 release very early next week.
Best,
Marek
On 25 January 2014 17:57, Hauke Lampe <lampe(a)hauke-lampe.de> wrote:
Hello.
I configured "max-udp-payload 1464" and noticed that Knot 1.4 sets tc if
it can't fit RRSIGs for records in the additional section while 1.3.4
didn't.
I was wondering what the reasoning is behind this behaviour. Shouldn't
validating resolvers ignore unsigned record sets in the additional
section anyway?
In my tests, Knot 1.4 almost always sets tc unless it can fit all
DNSKEYs, nameserver addresses and their signatures in the additional
section. That seems a bit excessive. There are only a few narrow buffer
sizes ranges that don't result in a truncated response, depending on the
reply content:
$ l=""; i=1800; j=$i; while [
"$i" -lt "4097" ]; do n="`dig +bufsize=$i +ignore +norec +dnssec
openchaos.org soa @nsig17.openchaos.org |grep ";; flags:"`"; [
"$l" != "$n" ] && { echo "$j - $(($i-1)): $l"; l=$n;
j=$i; }; i=$(($i+1)); done; echo "$j - $(($i-1)): $n"
1883 - 1898: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 4
2102 - 2129: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 6
2333 - 2348: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 8
2552 - 2567: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 10
2771 - 2798: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 12
3002 - 3017: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14
3221 - 3236: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 16
3440 - 3455: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 18
3659 - 3686: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 20
3890 - 4096: ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 22
FWIW, the attached patch works for me. It should remove the last
additional record if its RRSIG doesn't fit.
Hauke
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users