nsd icon indicating copy to clipboard operation
nsd copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

NSD additional section truncated

Open geertverheyen opened this issue 4 years ago • 2 comments

Hello, We noticed that the additional section in a DNS reply from NSD is truncated. See example below. We are currently running NSD v4.1.24-2. In NSD v4.2.1 are 2 new parameters introduced (send-buffer-size and receive-buffer-size; https://www.nlnetlabs.nl/news/2019/Jul/09/nsd-4.2.1-released/); will configuring these parameters to a higher value, have NSD send back the complete additional section ? If not, how can we adjust NSD to sent back the complete additional section ?

dig @172.17.32.2 +bufsize=4096 dns.be -t A +notcp +dnssec

; <<>> DiG 9.11.7-RedHat-9.11.7-2.el7 <<>> @172.17.32.2 +bufsize=4096 dns.be -t A +notcp +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1162 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dns.be. IN A

;; ANSWER SECTION: dns.be. 60 IN A 107.154.248.139 dns.be. 60 IN RRSIG A 8 2 60 20190913145959 20190903144514 30315 dns.be. PABuufraNBwaMwfgEKBG/M+JzYNr4imS9n2dWQ5+0BrmkylqmyunUdWl ltd4dB+H3j5o3QaQN739zIgSjk/Yi5P2Ip3A9hxRg+axt9+jlJSLjZcY i76nP7h5bGSTS/dzuRyEBht64M8oGnyzhzou2i9m0aGBnBNw82zD9VgN PJDaY+YfHHkvAiK5bPwOmFfLBywVQxoygceiFMS1YOoNawSeY65T+6hV 4MSJmon+IQWiQd0rWm+AajZZDuMW1B3YT/ByMMMw63j4/pG8CrOOhBzJ PFVrZOSPrhNM6jOOxr/3rBYdmqwbaNnfW10RK62svb+eD5eu6X4OWqFd cBUZzQ==

;; AUTHORITY SECTION: dns.be. 86400 IN NS d.ns.dns.be. dns.be. 86400 IN NS a.ns.dns.be. dns.be. 86400 IN NS b.ns.dns.be. dns.be. 86400 IN NS c.ns.dns.be. dns.be. 86400 IN NS x.ns.dns.be. dns.be. 86400 IN NS y.ns.dns.be. dns.be. 86400 IN RRSIG NS 8 2 86400 20190916061726 20190906061640 30315 dns.be. fr5Ix0FiZlNKAmISFfp9KKSlaIcYEhPm9ZIfXs6UuZTeR46HT2hTLApO cAvZl0D90nOUsq3D0Icmj2wsWqaewec9pf32/RgcQSNqKejpUn1amaO1 zBkW9KLrhCftWYxncyp8HDwsxsFWGJxg8Md4w5+/Z8Wc7TBL9zNZPT2t AgFs1QjNI145vc2CjSLriUsWWYKhx9ickLynGvNihlrV0EZSZ9S1eZx6 blrIfx+pyMCxQAe31KhTh01MYXCZvlrJUrnfPDdNtxHmVGJ9EOaqJyce l+OkPNsFGzvkYloppI089vLD6sHS2YitX+W6wRdI/BBvvot/gFnvGp19 dTi8Zw==

;; ADDITIONAL SECTION: d.ns.dns.be. 86400 IN A 194.0.44.1 d.ns.dns.be. 86400 IN RRSIG A 8 4 86400 20190913134317 20190903133143 30315 dns.be. dN6PlAFKdsEsH2ccYlSrnpvAgOFSyyyPahcC5LB5C24+vGQcBKuOW2h9 aRyJ8RKIiDNV+D8nNt0ySLeeBRSF3R1MbTjiZlPfrmfQPNU9DuewjeHM q8fa+yKhStEp191ZuyBuonYfO5J2lEmWvICtauh7b5QYFt46G6iXrmGt AjxMtVMOYx2K8dKMqHgeJkGrQRJkdyoZ13UJKaFh1dQdNuwfApFs9ZMR GVRUNW1Aj0/SrSlh5K297Xb+A0g/donCvzS1GbSePa8yv16paYRYGu+U 8C64IkV3EehBXVQYc1TW30LTnN7hzJTaZB4iE4qNN/Ch6cSuMzuOJccs eGyz8g== a.ns.dns.be. 86400 IN A 194.0.6.1 a.ns.dns.be. 86400 IN RRSIG A 8 4 86400 20190913133954 20190903130316 30315 dns.be. ds/0ZsjajUfvg4JJOlp8KrrBrwV/iAqaK4XKLQwb6Avi6+BM9TU4MCnR QGS3kmfl8KFSmeUc1L2/zXAmZYvKB/IcsDDuBwc6lpQqgts1Wt5ai+lo +x0kYm7j8A/lry41k/JsuG+6fgITSH59HJz19pqRNUKEceB+g3tQIOwX cdGLH0rngnM2T0mku0Oqs4QI9VGHszoJVEoc6lQ/ENvHdMTb4ygQG+Wm ug4YogRDXMsUp75Cucc81UGwrXy6+ChFaNMB281Fc4dAmMBe2KKQLa2F oeeXaSQxAa4Cqc+s9a3/czc+huddQbaOwPVcr6TUdg6uthgqpv4c7lag c4Z5uQ==

;; Query time: 0 msec ;; SERVER: 172.17.32.2#53(172.17.32.2) ;; WHEN: Fri Sep 06 14:43:31 CEST 2019 ;; MSG SIZE rcvd: 1358

geertverheyen avatar Sep 06 '19 12:09 geertverheyen

The options you cite are for the buffer size for the socket in the operating system network stack. And do not change the additional section.

NSD tries to make all the answers fit in one datagram. It tries very hard to do that. Because fragmentation is a big problem. So, although there are a number of options that will cause a larger response, you should not really turn them like that. Instead make sure that there is no fragmentation. So that users that drop fragments do not have a problem.

That said there is a number of options that make NSD reduce the response size to fit in one fragment (of 1460 bytes). minimal-responses in nsd.conf makes NSD drop the entire additional section (the opposite of what you want). The --disable-minimal-responses configure option makes NSD not minimize the response for the fragment size (of IPv4 or IPv6). And recompile with that.

You could also change the size of what NSD minimizes too by changing the constants by editing packet.c:143 IPV4_MINIMAL_RESPONSE_SIZE (1460) and IPV6_MINIMAL_RESPONSE_SIZE (1220).

But again, we would not recommend this, because fragments are known to cause problems. And the additional section is really unnecessary. With +tcp for dig the complete additional section may be returned, by the way. Also recursors like Unbound will follow the NS set names and query for them to find them (the 'recursion' in action for the lookup algorithm, where it makes additional lookups to chase after the target).

wcawijngaards avatar Sep 06 '19 13:09 wcawijngaards

packet.c:143 should be packet.h:143.

wcawijngaards avatar Sep 06 '19 15:09 wcawijngaards