From dc2fa0e3f91883c7613484c07e4e241e5487e3db Mon Sep 17 00:00:00 2001 From: David Blacka Date: Sun, 20 Sep 2009 16:00:38 -0400 Subject: [PATCH] minor edits to results text; current state of named.conf --- named.conf | 6 ++--- .../root_overall_response_size_results.txt | 22 ++++++++++--------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/named.conf b/named.conf index 4a682e6..6f823d2 100644 --- a/named.conf +++ b/named.conf @@ -3,7 +3,7 @@ options { port 4053; dnssec-enable yes; recursion no; - pid-file "/home/davidb/src/root_zone_test/run/named.pid"; + pid-file "run/named.pid"; # max-udp-size 1472; }; @@ -19,6 +19,6 @@ zone "arpa." { zone "root-servers.net." { type master; - file "root-servers.net.zone"; - #file "root-servers.net.signed"; + #file "root-servers.net.zone"; + file "root-servers.net.signed"; }; diff --git a/zone_results/root_overall_response_size_results.txt b/zone_results/root_overall_response_size_results.txt index 91caa4a..a7f08c7 100644 --- a/zone_results/root_overall_response_size_results.txt +++ b/zone_results/root_overall_response_size_results.txt @@ -9,7 +9,7 @@ Recommendations: 1) Use the "minimal-dnskey-response" behavior for the root servers. This behavior is supported by RDNS 2.3.2 and NCDNS 1.1.1 - (as well as BIND 9.6 and NSD 3.2.3). + (as well as BIND 9.6.x and NSD 3.2.3). 2) Cap our UDP responses sizes to 1472 (or optionally less, down to 1400). The results below will show that this is safe. In fact, @@ -24,8 +24,8 @@ Methodology: 1024-bit ZSK, a signed arpa with the same key sizes, and (for now) an unsigned root-servers.net zone. - * BIND 9.6 was used as the authoritative server (so the - minimal-dnskey-response behavior was in effect). + * BIND 9.6 was used as the authoritative server, so the + minimal-dnskey-response behavior was in effect. * A python script was created using the dnspython package. This script would: @@ -33,16 +33,19 @@ Methodology: 1. Read the contents of the signed root zone file, and for every name/type pair (except A/AAAA types for root and arpa): - 1.1. Query for the name/type with EDNS0, DO=1, BUFSIZE=4096 via - UDP + 1.1. Query for the name/type with EDNS0, DO=1, and BUFSIZE=4096 + via UDP. - 1.2. Record the resulting response size. + 1.2. Record the resulting response size. This is the "full" + response size. 1.3. Find the "minimum no TC" size by parsing the response, clearing the additional section, re-encoding into compressed wire format, then recording the size. Because of the way the dnspython dns.message class works, the OPT - record was perserved. + record was perserved. Testing demonstrated that the size + did not change for responses that had no additional + section records other than OPT (e.g., NXDOMAIN responses). 1.4. Calculate the additional amount of space that would be taken up if a maximum sized qname was given (essentially, @@ -71,7 +74,7 @@ Methodology: Results: -* "Maximum overall size" is the size of a response *with* the +* "Maximum overall size" is the size of a response with the additional records and with a 255-byte qname. * "Full response size" is the size of the response with the additional section (if any), but with the given qname. @@ -127,6 +130,5 @@ full min qname label Note that the duplicate arpa queries exist because of the arpa entry in both the root zone and the arpa zone. -The RRSIG responsed will shrink to 1189 or 1157 bytes before setting +The RRSIG responses will shrink to 1189 or 1157 bytes before setting TC, but the ANY responses will always set TC. - -- 2.36.6