[Yeti DNS Discuss] 答复: 答复: Five additional servers added to Yeti testbed & an bug finding on priming response

Davey Song(宋林健) ljsong at biigroup.cn
Mon May 16 08:20:25 UTC 2016

>Btw, accepting inconsistent IXFR and generating a merged zone is not
correct for MZSK as well. Because zsk set will be changed, but the old RRSIG
record is reminded in the zone which will cause problem when resolver have
not key to validate. 

Once a new zone is generated, the validation for the old RRSIG will be


发件人: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
发送时间: 2016年5月4日 18:17
收件人: Davey Song
抄送: discuss at lists.yeti-dns.org
主题: Re: [Yeti DNS Discuss] Five additional servers added to Yeti testbed &
an bug finding on priming response

On Wed, May 04, 2016 at 11:34:45AM +0200,  Stephane Bortzmeyer
<bortzmeyer at nic.fr> wrote  a message of 79 lines which said:

> 2) With DNSSEC
> % sh priming-size.sh
> dahu2.yeti.eu.org. 2017

[Knot, see a discussion at the end.]

> yeti-ns3.dns-lab.net. 1558

[Without the "minimum responses" option]

> yeti.aquaray.com. 1222
> yeti-ns.as59715.net. 1222

[Probably NSD, this is the default size, with the "minimum responses"

> yeti.ipv6.ernet.in. 914
> yeti.bofh.priv.at. 914
> yeti-ns.switch.ch. 914
> yeti-ns.lab.nic.cl. 914
> yeti-ns.ix.ru. 914

[Probably BIND, with the default size, with the "minimum responses"

For dahu2.yeti.eu.org, the reason the priming response is so large, is
because dahu2 serves two RRSIG for the NS:

.			86400 IN RRSIG NS 8 0 86400 (
				20160527164002 20160427164002 11511 .
				8iBgrNS2PrIhsNYhoBXsF/p4yibpkBDUqozRt9k= )
.			86400 IN RRSIG NS 8 0 86400 (
				20160603050150 20160504050150 20454 .
				v0xFs4LlpfVWYouMKG5uOUBu4qHOiR4R2ibqmZw= )

The first one, made by 11511, seems to be from the WIDE DM. The second one,
by 20454, seems to be from the BII DM. Knot apparently made IXFR and merged
the results...

IMHO, this is an important result to add to the MultiZSK draft:
another correct (?) but surprising behaviour with MultiZSK and IXFR...

discuss mailing list
discuss at lists.yeti-dns.org

More information about the discuss mailing list