Kretskort

Packet size and name server authorative zone

As preparation for the changing of keys used in the .se zone I have done some tests about packet sizes with different key sizes and algorithms. Currently the .se zone is signed by a 2048 bit Key Signing Key (KSK) and a 1024 bit Zone Signing Key (ZSK) both in RSA-SHA1 format.

The goal of this activity was to:

  • increase the ZSK to 2048 bits
  • Roll over KSK and ZSK to 2048 bits RSA-SHA256 keys

The .SE zone today runs on 10 name servers on 10 IPv4 addresses and 8 IPv6 addresses. All name servers are named as .ns.se. The second level domain ns.se is not in the .se zone. This means all name servers are hosts in the .se zone and the .se zone is authorative for these hosts.

If asked for the ns set of the .se zone our servers answer today:

[prism lang="markup"]dig @a.ns.se se ns

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @a.ns.se se ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa rd; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 19
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;se. IN NS

;; ANSWER SECTION:
se. 172800 IN NS g.ns.se.
se. 172800 IN NS b.ns.se.
se. 172800 IN NS i.ns.se.
se. 172800 IN NS j.ns.se.
se. 172800 IN NS c.ns.se.
se. 172800 IN NS f.ns.se.
se. 172800 IN NS x.ns.se.
se. 172800 IN NS e.ns.se.
se. 172800 IN NS d.ns.se.
se. 172800 IN NS a.ns.se.

;; ADDITIONAL SECTION:
a.ns.se. 172800 IN A 192.36.144.107
a.ns.se. 172800 IN AAAA 2a01:3f0:0:301::53
b.ns.se. 172800 IN A 192.36.133.107
b.ns.se. 172800 IN AAAA 2001:67c:254c:301::53
c.ns.se. 172800 IN A 192.36.135.107
c.ns.se. 172800 IN AAAA 2001:67c:2554:301::53
d.ns.se. 172800 IN A 81.228.8.16
e.ns.se. 172800 IN A 81.228.10.57
f.ns.se. 172800 IN A 192.71.53.53
f.ns.se. 172800 IN AAAA 2a01:3f0:0:305::53
g.ns.se. 172800 IN A 130.239.5.114
g.ns.se. 172800 IN AAAA 2001:6b0:e:3::1
i.ns.se. 172800 IN A 194.146.106.22
i.ns.se. 172800 IN AAAA 2001:67c:1010:5::53
j.ns.se. 172800 IN A 199.254.63.1
j.ns.se. 172800 IN AAAA 2001:500:2c::1
x.ns.se. 172800 IN A 213.108.25.4
x.ns.se. 172800 IN AAAA 2001:67c:124c:e000::4

;; Query time: 13 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Mon May 22 15:35:49 UTC 2017
;; MSG SIZE rcvd: 578[/prism]

So a simple query for the .se ns set is 578 bytes.

[prism lang="markup"]dig +dnssec @a.ns.se se ns[/prism]

With dnssec enabled the size increases to 3656 bytes.

With larger or double keys the size increase so much that many records are left off from additional. The full answer set is only available over TCP.

[prism lang="markup"]dig +dnssec +tcp @a.ns.se se ns[/prism]

On a test server I ran tests on this setup of name servers and the different key setups.

KSK
ZSK
Answer Size (bytes)
RSA-SHA1 2048 bit RSA-SHA1 1024 bit 3656
RSA-SHA1 2048 bit RSA-SHA1 2048 bit 6088
Dubbel Signing

RSA-SHA1 2048 bit

RSA-SHA256

RSA-SHA1 2048 bit

RSA-SHA256

11598
RSA-SHA256 2048 bit RSA-SHA256 2048 bit 6088

When ns.se is introduced as its own zone in the .se zone the packet sizes would be as follows:

KSK
ZSK
Answer Size (bytes)
RSA-SHA1 2048 bit RSA-SHA1 1024 bit 356
RSA-SHA1 2048 bit RSA-SHA1 2048 bit 484
Dubbel Signing

RSA-SHA1 2048 bit

RSA-SHA256

RSA-SHA1 2048 bit

RSA-SHA256

774
RSA-SHA256 2048 bit RSA-SHA256 2048 bit 484

When A and AAAA records are reordered to only 4 name servers.

KSK
ZSK
Answer Size (bytes)
RSA-SHA1 2048 bit RSA-SHA1 1024 bit 1940
RSA-SHA1 2048 bit RSA-SHA1 2048 bit 3092
Dubbel Signing

RSA-SHA1 2048 bit

RSA-SHA256

RSA-SHA1 2048 bit

RSA-SHA256

3646
RSA-SHA256 2048 bit RSA-SHA256 2048 bit 3092

Other TLDs

As a reference I checked the ns set of several other registries.

.de uses two diffrent zones for its name servers nic.de and de.net, both being served by ns(1,2,3).denic.de as is denic.de itself.

.cz uses <single letter>.ns.nic.cz and nic.cz is its own zone, being served by the same name servers.

.fr uses nic.fr zone for its name servers and nic.fr is its own zone.

.nl uses a similiar setup as .se today but with fewer name servers. (Packet size with dnssec 2210).

Resolvers

Resolvers usually have a configurable but under runtime fixed buffer size. This buffer size is communicated to the authoritative servers through EDNS0 extensions. If the answer is bigger than 4K the authoritative server will truncate the answer and set the TC bit. Thus asking the resolver to retry over TCP. Any additional records will just be left off without setting the TC bit. Often additional data is needed in a next step, thus making it necessary to make another query.

Resolver
Default buffer size (bytes)
Ubound 4K
Bind* 4K
Knot* 4K

*does not support buffer size over 4K.

Conclusion?

After consulting with a few experts from the DNS community at ICANN, IETF and DNS-OARC it seems the following three options are available

  1. Set up ns.se as it's own zone. Preferably served by the same servers as .se.
  2. Change name server setup in .se to a smaller number of name server names but same number of ip addresses.
  3. Do nothing! Addtional is not needed for the DNS to work.

I would like to hear from you! Please send an email to ulrich.wisser@internetstiftelsen.se.