Bug 1243 - Option to make NSD emit really minimal responses
Option to make NSD emit really minimal responses
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
4.1.x
All All
: P5 enhancement
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-27 12:55 CEST by Anand Buddhdev
Modified: 2019-04-04 07:02 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anand Buddhdev 2017-03-27 12:55:28 CEST
BIND, with the option "minimal-responses" set to "yes", and Knot >= 2.3 both emit the smallest possible responses. For example, if you query them for SOA records, they only return the SOA record in the answer, and nothing in the authority and additional sections. On the other hand, if the response is a referral, then of course NS records are returned in the authority section, and perhaps A and AAAA records in the additional section.

However, NSD always adds records to the authority and additional sections. Compare these 2 responses, the first from BIND, and the second from NSD:

; <<>> DiG 9.11.0-P3 <<>> +norec +nocookie +dnssec ripe.net soa @ns1.nl-ams.authdns.ripe.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52619
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
ripe.net.		3600	IN	SOA	manus.authdns.ripe.net. dns.ripe.net. 1490599864 3600 600 864000 300
ripe.net.		3600	IN	RRSIG	SOA 8 2 3600 20170426100312 20170327090312 18978 ripe.net. L6E3yxOQ5+n4oWmhlMOYow38PIyGKbxbG0p8dLjD6uj4pT58+5KB6Wn4 wSWES259F+i7JzwLfgEqy64hFdVk1oU8ufs5IHTwvNiTuOcDo5+bEJAr MgzuYu+If4jgE4RTOMCALSCbT35rrt1o6A5BnRm2IMtiGOsF3/RUDSOc sAQ=


; <<>> DiG 9.11.0-P3 <<>> +norec +nocookie +dnssec ripe.net soa @ns3.nl-ams.authdns.ripe.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3720
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 5

;; ANSWER SECTION:
ripe.net.		3600	IN	SOA	manus.authdns.ripe.net. dns.ripe.net. 1490599864 3600 600 864000 300
ripe.net.		3600	IN	RRSIG	SOA 8 2 3600 20170426100312 20170327090312 18978 ripe.net. L6E3yxOQ5+n4oWmhlMOYow38PIyGKbxbG0p8dLjD6uj4pT58+5KB6Wn4 wSWES259F+i7JzwLfgEqy64hFdVk1oU8ufs5IHTwvNiTuOcDo5+bEJAr MgzuYu+If4jgE4RTOMCALSCbT35rrt1o6A5BnRm2IMtiGOsF3/RUDSOc sAQ=

;; AUTHORITY SECTION:
ripe.net.		3600	IN	NS	a1.verisigndns.com.
ripe.net.		3600	IN	NS	a2.verisigndns.com.
ripe.net.		3600	IN	NS	a3.verisigndns.com.
ripe.net.		3600	IN	NS	sec3.apnic.net.
ripe.net.		3600	IN	NS	manus.authdns.ripe.net.
ripe.net.		3600	IN	NS	sns-pb.isc.org.
ripe.net.		3600	IN	NS	tinnie.arin.net.
ripe.net.		3600	IN	RRSIG	NS 8 2 3600 20170426100312 20170327090312 18978 ripe.net. B+uED5wo1vVzgzWT/qvkXIqbgYFI2N6AtNoUlihrrGimgdRXPYbMf3W3 KZryI8QUKcLGtKaEt7z8EINjbPFcWWVie3OnSq6V+jD6PUBdklgXq8/S hJAVLXOhr1wOOyfd8JCb+7J17uFrDPQVhYlbVnOprXd83rR8TzE0raDh Mj0=

;; ADDITIONAL SECTION:
manus.authdns.ripe.net.	3600	IN	A	193.0.9.7
manus.authdns.ripe.net.	3600	IN	RRSIG	A 8 4 3600 20170426100312 20170327090312 18978 ripe.net. FvY2bhCyVXftsBk4TAHjtE/0z30RnL5u++rnH3zKElIqmjifbaSfl+wS HBWd2zrc93tNWsL1vCv41U954D8gtwhQ9OOqXvuPPNim5WH8Ex4GUkAz tgGfNMD+FroHw+7x/Pc8KlXJB9iOjG7Fo7cHsPY8Qv/D7pzOhEX9Bzwh GYA=
manus.authdns.ripe.net.	3600	IN	AAAA	2001:67c:e0::7
manus.authdns.ripe.net.	3600	IN	RRSIG	AAAA 8 4 3600 20170426100312 20170327090312 18978 ripe.net. S9TXylfd7LeFJiow7KGCtjfvWPSRQg5L2eToqOFMm0b62tHD1sHFBdjw TJFQE+IMe5hYC5JFjbMSJciIdIBfhgq1wl0zacJXxj0WBxgSu78vDeNu WqFIGeNqk4bMUDGq1bz3dLbRgQkyzU4Bqr7RkBQNPAMr5QMAyDp43j9o PIo=



For many queries, such large responses as NSD emits, are not necessary. Could you consider an option to NSD that would make it emit the smallest possible responses, and add extra data only when necessary, such as for referrals?
Comment 1 Wouter Wijngaards 2017-03-27 13:51:29 CEST
Hi,

It is called minimal-responses: yes in nsd.conf.

This reduces as much as possible.

The --enable-minimal-responses only reduces onto the packet fragment border (and also still works).

Best regards, Wouter
Comment 2 Anand Buddhdev 2017-03-27 14:53:13 CEST
I've found one difference. BIND and Knot, even with minimal responses, send back a full response with glue, for a priming query (./IN/NS), whereas NSD is returning just the NS records.

A resolver can deal with this, but it has to send additional queries to find the addresses of each root name server.

Do you think you can special-case the priming query and make NSD emit a complete response?
Comment 3 Wouter Wijngaards 2017-03-27 14:59:35 CEST
Yes, it'll give additional information for qtype=NS.

Best regards, Wouter
Comment 4 ashu 2019-04-04 07:02:44 CEST
hey, i learn from this website how bluetooth turn on in windows 10 just click on this https://windowsclassroom.com/how-to-turn-on-bluetooth-on-windows-10/ and learn how to turn on bluetooth windows 10 an easy way to do this, thanks