On Mon, Jun 23, 2025 at 03:05:19PM +1000, Viktor Dukhovni wrote:
> Setting "minimal-responses yes":
>
>
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-minimal-responses
>
> returns just the signed TLSA RRset, using 344 bytes, with plenty of room
> for more.
Your MX host's zone is signed with ECDSA, and the ns[12] nameservers return
minimal responses:
$ dig +noall +stats +norecur +dnssec -t tlsa @ns1.patrickdk.com
_25._tcp.kishi.patrickdk.com
;; Query time: 12 msec
;; SERVER: 205.233.73.235#53(ns1.patrickdk.com) (UDP)
;; WHEN: Mon Jun 23 05:08:44 UTC 2025
;; MSG SIZE rcvd: 260
But the third nameserver is less parsimonious:
$ dig +noall +stats +norecur +dnssec -t tlsa @ns-global.kjsl.com.
_25._tcp.kishi.patrickdk.com
;; Query time: 61 msec
;; SERVER: 23.128.97.53#53(ns-global.kjsl.com.) (UDP)
;; WHEN: Mon Jun 23 05:11:34 UTC 2025
;; MSG SIZE rcvd: 989
Yet still has space for ~10 more TLSA records before nearing ~1400 bytes
or ~4-5 more to get over ~1200 bytes. And it may choose to prune the
additional section rather than set TC=1 should the response size grow
larger.
--
Viktor.
