On Mon, Jun 23, 2025 at 03:05:19PM +1000, Viktor Dukhovni wrote:
Setting "minimal-responses yes":
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-minimal-responsesreturns just the signed TLSA RRset, using 344 bytes, with plenty of room for more.
Your MX host's zone is signed with ECDSA, and the ns[12] nameservers return minimal responses:
$ dig +noall +stats +norecur +dnssec -t tlsa @ns1.patrickdk.com _25._tcp.kishi.patrickdk.com ;; Query time: 12 msec ;; SERVER: 205.233.73.235#53(ns1.patrickdk.com) (UDP) ;; WHEN: Mon Jun 23 05:08:44 UTC 2025 ;; MSG SIZE rcvd: 260
But the third nameserver is less parsimonious:
$ dig +noall +stats +norecur +dnssec -t tlsa @ns-global.kjsl.com. _25._tcp.kishi.patrickdk.com ;; Query time: 61 msec ;; SERVER: 23.128.97.53#53(ns-global.kjsl.com.) (UDP) ;; WHEN: Mon Jun 23 05:11:34 UTC 2025 ;; MSG SIZE rcvd: 989
Yet still has space for ~10 more TLSA records before nearing ~1400 bytes or ~4-5 more to get over ~1200 bytes. And it may choose to prune the additional section rather than set TC=1 should the response size grow larger.