Bind, dnssec, udp fragmentation woes.
Nicholas Wheeler
nwheeler at devis.com
Fri Oct 2 16:55:19 UTC 2009
On Fri, 2009-10-02 at 13:22 +1000, Mark Andrews wrote:
> You really want to work out what is being blocked, EDNS?, responses
> bigger that 512 bytes? DNSSEC? fragmented responses? With a clean
> path all of these should succeed but only the last one won't have
> "tc" set. This does a plain DNS query, a EDNS query that limits
> the response to 512 bytes, a DNSSEC query that limits the response
> to 512 bytes, a DNSSEC query that limits the response to something
> that would not normally be fragmented but exceeds 512 bytes, a
> DNSSEC query that will normally be fragmented.
>
> % dig soa se @192.36.133.107 +norec +ignore
> % dig soa se @192.36.133.107 +norec +ignore +bufsize=512
The above two work, the below four do not work (connection timed out; no
servers could be reached).
(note: I replaced se with my domain.tld, and the @ with my server).
> % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200
> % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec
> % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 +dnssec
> % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec
>
> Mark
Thanks for the help, but I don't know what this implies, other than
nothing dnssec-related with udp works ;)
Thanks,
--
Nicholas Wheeler
Systems Administrator
Development Infostructure
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20091002/a18989bc/attachment.bin>
More information about the bind-users
mailing list