Excess records served via AXFR for unsigned zones.

[ximon18]

If a zone contains glue records those are wrongly emitted multiple times when the zone is retrieved via AXFR from the unsigned zone review nameserver. Internally this appears to be caused by fn walk() which is used to traverse the zone to produce AXFR out, but is also used to traverse the zone by the zone signer to extract records to sign. There is no visible effect on the final signed zone because internally the records to sign are sorted and deduplicated, but it causes extra work and memory usage which is noticeable for a large zone.

$ ldns-compare-zones -c nl.zone nl.zone.out.unsigned
...
        +0      -0      ~6986

As an example, one A record appears in the input zone once, but in the unsigned output zone 34 times!

This seems to be because the owner name of the A record is the target of 34 NS records for other owner names.

I.e.

a.b.nl            3600    IN    NS    some.domain.nl.
c.d.nl.           3600    IN    NS    some.domain.nl.
e.f.nl.           3600    IN    NS    some.domain.nl.
some.domain.nl.   3600    IN    A     1.2.3.4

Would result in an unsigned output zone containing:

a.b.nl            3600    IN    NS    some.domain.nl.
c.d.nl.           3600    IN    NS    some.domain.nl.
e.f.nl.           3600    IN    NS    some.domain.nl.
some.domain.nl.   3600    IN    A     1.2.3.4
some.domain.nl.   3600    IN    A     1.2.3.4
some.domain.nl.   3600    IN    A     1.2.3.4

Or something like that.

[ximon18]

NLnetLabs/domain#578 "fixes" this but needs more consideration and checking, it's unclear exactly what is being stored inside the ApexZone structure as "glue" and whether that is the right fix or not.