[nsd-users] NSD not serving DNSKEY requests if the key is =>2048 bits

Teran McKinney sega01 at gmail.com
Fri Aug 15 18:17:43 UTC 2008

I guess this has turned into a drill or ldns issue.

I was using drill for the queries. Setting it to use TCP worked in all
cases, and setting the DNSSEC flag worked for 2048 bits but not 4096
bits. dig works fine over UDP with 2048 or 4096 bit requests. Sorry I
didn't notice this earlier.

8.4.e164.arpa has a 4096 bit DNSKEY and drill (1.3.0, under my setup)
will not return a reponse unless the DNSSEC flag or TCP flag is set.
Strange that setting DNSSEC works without TCP for this 4096 bit key,
but did not work on my own 4096 bit keys. dig works without any flags
to that zone.

Okay, as I was writing this email I tried setting the buffer size on
drill (default is 512 bits). Anything below 900~ bits does not work,
but if I set it to use 900+ bits it works fine for the arpa zone I
refered to. I have to set a 2048 bit buffer to get drill to give a
response with my VPN's TLD. I do not know how to set drill to not add
the extra formatting to the DNS packets written to file (so it should
be smaller), but mine was 4390 bytes for a DNSKEY request showing only
a 4096 bit KSK and ZSK. Setting +bufsize on dig had no affect; a size
of 512 bits still let it resolve the VPN's TLD fine without any
additional flags.

Teran (sega01)

On Fri, Aug 15, 2008 at 17:36, Ondřej Surý <ondrej at sury.org> wrote:
> How big is the result packet?
> Did you try dig with +tcp flag? (EDNS0 should be enabled when you use
> +dnssec, but adding +edns=0 doesn't hurt anyway).
> Ondrej.
> 2008/8/15 Teran McKinney <sega01 at gmail.com>:
>> Hi,
>> I have been trying to roll out DNSSEC onto a TLD in my public VPN and
>> two domains. I was hoping to do a 4096 bit KSK and 2048 bit ZSK, but
>> unfortunately NSD 3.1.1 seems to not serve DNSKEY requests if the key
>> is 2048 bits or more.
>> I tried generating RSASHA1 keys with bind's DNSSEC utilities and ldns'
>> utilities. A KSK and ZSK of 1024 or 1280 bits worked fine when
>> querying for DNSKEY. Simply changing the bit value to 2048 or 4096 and
>> resigining the zone seemed to stop NSD from serving DNSKEY requests,
>> however it still sent applicable RRSIG data if the DO flag was set. I
>> also tried generating RSAMD5 keys, but they had the same effect.
>> My configuration file is fairly standard, but perhaps there is an
>> option that I am missing?
>> ftp://icadyptes.go-beyond.org/icadyptes/abs/extra/daemons/nsd/ is my
>> build script. The only main difference between running the script's
>> build() directly and going through the normal build script parser is a
>> $CFLAGS setting. This is on a Arch Linux fork I am working on.
>> Any ideas as to what might be causing this, or should I give any more
>> information?
>> Thanks,
>> Teran (sega01)
>> PS: How well supported is SHA2 for DNSSEC? ldns optionally supports it
>> and I have read of some vulnerabilities with SHA1, so I would prefer
>> to use it.
>> _______________________________________________
>> nsd-users mailing list
>> nsd-users at NLnetLabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> --
> Ondřej Surý <ondrej at sury.org>

More information about the nsd-users mailing list