NSD returns 3 NSEC3 records for NODATA response

While debugging queries for ira.go.ug/DS, I have noticed that NSD returns 3 NSEC3 records in the authority section. I don't believe the extra NSEC3 record causes any harm. However, operationally, it has a consequence, which is a bigger response, compared to say BIND or Knot DNS. If an NSD server limits the UDP buffer size to 1232 (as is the recommendation these days), it causes truncation, and the client tries again over TCP. Compare the following responses:

```
NSD with 4096-byte buffer size:

; <<>> DiG 9.16.20 <<>> +norec +dnssec ira.go.ug ds @ns.icann.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14066
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ira.go.ug.			IN	DS

;; AUTHORITY SECTION:
ug.			14400	IN	SOA	root.eahd.or.ug. servers.i3c.co.ug. 2017250138 86400 3600 2592000 14400
ug.			14400	IN	RRSIG	SOA 8 1 14400 20210923210000 20210814210000 63693 ug. [omitted]
8r4475uh5oosjqhv6dhdmccf6mllupgv.ug. 14400 IN NSEC3 1 1 10 799D670A 90U6TO1ODSNCOIFUT34IFNPP1IECC15L NS SOA RRSIG DNSKEY NSEC3PARAM
8r4475uh5oosjqhv6dhdmccf6mllupgv.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]
dpk1ca38i2bp09sfh57ishifd8ebi04s.ug. 14400 IN NSEC3 1 1 10 799D670A IA8GCNUUS76RKVEMFSB6O4KQ09S1I5CS NS DS RRSIG
dpk1ca38i2bp09sfh57ishifd8ebi04s.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]
qk9e3k4slop401t887vvsnna8lq2fjbs.ug. 14400 IN NSEC3 1 1 10 799D670A SS5UP489HPGNTUTRSH295N0AGS13GJ08 NS DS RRSIG
qk9e3k4slop401t887vvsnna8lq2fjbs.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]


NSD with 1232-byte buffer:

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.20 <<>> +norec +dnssec +nsid ira.go.ug ds @ns-ug.afrinic.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64509
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; NSID: 73 30 34 2d 6e 73 32 2e 6a 6e 62 ("s04-ns2.jnb")
;; QUESTION SECTION:
;ira.go.ug.			IN	DS

;; AUTHORITY SECTION:
ug.			14400	IN	SOA	root.eahd.or.ug. servers.i3c.co.ug. 2017250135 86400 3600 2592000 14400
ug.			14400	IN	RRSIG	SOA 8 1 14400 20210923210000 20210814210000 63693 ug. [omitted]
8r4475uh5oosjqhv6dhdmccf6mllupgv.ug. 14400 IN NSEC3 1 1 10 799D670A 90U6TO1ODSNCOIFUT34IFNPP1IECC15L NS SOA RRSIG DNSKEY NSEC3PARAM
8r4475uh5oosjqhv6dhdmccf6mllupgv.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]
dpk1ca38i2bp09sfh57ishifd8ebi04s.ug. 14400 IN NSEC3 1 1 10 799D670A IA8GCNUUS76RKVEMFSB6O4KQ09S1I5CS NS DS RRSIG
dpk1ca38i2bp09sfh57ishifd8ebi04s.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]
qk9e3k4slop401t887vvsnna8lq2fjbs.ug. 14400 IN NSEC3 1 1 10 799D670A SS5UP489HPGNTUTRSH295N0AGS13GJ08 NS DS RRSIG
qk9e3k4slop401t887vvsnna8lq2fjbs.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]


And a BIND server:

; <<>> DiG 9.16.20 <<>> +norec +dnssec +nsid ira.go.ug ds @root.eahd.or.ug
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10510
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ira.go.ug.			IN	DS

;; AUTHORITY SECTION:
8R4475UH5OOSJQHV6DHDMCCF6MLLUPGV.ug. 14400 IN NSEC3 1 1 10 799D670A 90U6TO1ODSNCOIFUT34IFNPP1IECC15L NS SOA RRSIG DNSKEY NSEC3PARAM
8R4475UH5OOSJQHV6DHDMCCF6MLLUPGV.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]
ug.			14400	IN	SOA	root.eahd.or.ug. servers.i3c.co.ug. 2017250138 86400 3600 2592000 14400
ug.			14400	IN	RRSIG	SOA 8 1 14400 20210923210000 20210814210000 63693 ug. [omitted]
DPK1CA38I2BP09SFH57ISHIFD8EBI04S.ug. 14400 IN NSEC3 1 1 10 799D670A IA8GCNUUS76RKVEMFSB6O4KQ09S1I5CS NS DS RRSIG
DPK1CA38I2BP09SFH57ISHIFD8EBI04S.ug. 14400 IN RRSIG NSEC3 8 2 14400 20210923210000 20210814210000 63693 ug. [omitted]
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

NSD returns 3 NSEC3 records for NODATA response #190

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

NSD returns 3 NSEC3 records for NODATA response #190

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions