[Opendnssec-develop] Empty non terminals: 212 unjustified NSEC3s in .nl zone

Antoin Verschuren Antoin.Verschuren at sidn.nl
Wed Jan 27 15:15:46 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Guys,

We may have found one of the reasons why signing .nl is slow.
There are 212 delegations in our zone with corresponding glue which have the following form in our .nl zone:

$ORIGIN nl.
telemena                NS      a.ns.telemena
                        NS      b.ns.telemena
$ORIGIN ns.telemena.nl.
a                       A       81.171.4.1
b                       A       81.171.1.3

The signer sees these delegations and glue as empty non terminals, and NSEC3s the data.

[root at signer2 tmp]# grep telemena nl.signed
; Empty non-terminal: ns.telemena.nl.
; Glue: b.ns.telemena.nl.       7200    IN      A       81.171.1.3
telemena.nl.    7200    IN      NS      a.ns.telemena.nl.
telemena.nl.    7200    IN      NS      b.ns.telemena.nl.
; Glue: a.ns.telemena.nl.       7200    IN      A       81.171.4.1

So instead of the expected 10 RRSIGs, we now suddenly have 212 more NSEC3, and 4 times that much RRSIG records when using opt-out.

Is there another way to speed this up ?
Signing a fresh .nl now takes 50 minutes with NSEC3 and opt-out.
Bind 9.7 does not NSEC3 the empty non-terminals, and we only get 8 NSEC3 records.


Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl  http://www.sidn.nl/



-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)

wsBVAwUBS2BKkjqHrM883AgnAQijbgf/UvbIW28O3c833xRxrxQspP5MikPrED5h
zUUkzsolvJrxttNSjUQuQa2qYRStht915hMjm3oXELqY+BwNtWRTLrD8ZNRRXqGc
JzeXH3JnXsZ4ImwiKlRJXQMEWRwHGPkMrWJOgpzIEjNQfQVv1agyfVaQaW9zRuMk
eu+s06QNGOSXNGr7dRyIUsa+nWMRIzwRMBaCOxfWPc8BqY43kgHR32/ph4PNwWrx
fa/9Wjk9SmVCGjNdDiH3X9ytHd9jQ7NDcyoGRaCtOZShxjjsR+E+/gtZMCOuSCrm
I7UF4ZIm0XPXGbtk0HcTv1LRn1zLTj5v7mZBqZeJVR9QKUyFX/PAtA==
=GJGm
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list