NSEC and NSEC3 reduction proposal
We can reduce structures dealing with NSEC and NSEC3 records and decrease memory consumption of Knot.
Currently, Knot just takes the records provided in zone file (or retrieved by incoming transfer) and serves them as they are. In order to support online DNSSEC signing with DDNS, we have to be able to create and remove these records on-the-fly.
NSEC records
NSEC RR (http://tools.ietf.org/html/rfc3845#page-3) contains:
- uncompressed domain name
- bit map of RR types in RDATA
All that can be retrieved directly from the zone content structure with low overhead. After the change, NSEC records will become virtual. There is still an open question, how long it will take to recompute the bit map.
NSEC3 records
If there are multiple NSECPARAM RRs, there are multiple NSEC3 chains. The server should choose one of them and use it (as stated in RFC 5155). That's something we currently do and will do after the change as well.
NSEC3 RR (http://tools.ietf.org/html/rfc5155#page-9) contains:
- flags
- hash algorithm + number of iterations
- salt length + salt
- hash lenght + next hash
- bit map with RR types
Flags currently support only opt-out flag, which can be determined automatically. Hash parameters and salt can be dropped as these values are determined by selected NSEC3PARAMS RR. We have to keep the hashes ordered, so the next hash can be dropped as well. In addition, NSEC3 owner names are concatenation of the hash and zone apex, so we do not need to keep full dname for each record (as we currenly do). Bit map have to be retained (or we have to keep a pointer back to covered RR).
The pointers from the zone RRs to NSEC3 structures will be kept as the hash computation is too expensive.
Expectations
I expect this result:
- lower memory footprint
- flatter zone content structures (remove unnecessary nesting, store RRSIG records together with other nodes, drop unnecesary pointers)
- no invalid NSEC/NSEC3 chains in the zone (is this a problem?)
- no NSEC/NSEC3 records without RRSIG allowed (Is this a problem? It currently does not work with NSEC anyway.)