Preparing for upcoming DNSSEC changes on 5/5
Lightner, Jeff
jlightner at water.com
Mon May 3 19:54:39 UTC 2010
To follow up on Peter's question what does it mean if one sees the
"reply size limit is at least" with a value lower than the advertised
EDNS buffer size?
This link talks about various scenarios but not that one so I'm not sure
if this means Peter and I need to be concerned.
I saw similar results as Peter so set my edns-udp-size to 3839 which was
the lower "at least value I saw when it was advertising 4096. (I saw
3843 on the other test.)
On doing that however, I now see the advertised value is 3839 but the
"at least" value is 3828 on one and 3827 on the other as shown below.
Based on that it appears one should NOT set the edns-udp-size as it
doesn't fix the problem.
The issue
[root at dswadns1 etc]# dig txt test.rs.ripe.net +short
rst.x3828.rs.ripe.net.
rst.x3793.x3828.rs.ripe.net.
rst.x3799.x3793.x3828.rs.ripe.net.
"12.44.84.213 sent EDNS buffer size 3839"
"12.44.84.213 summary bs=3839,rs=3828,edns=1,do=1"
"12.44.84.213 DNS reply size limit is at least 3828 bytes"
[root at dswadns1 etc]# dig +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3797.x3827.rs.dns-oarc.net.
rst.x3803.x3797.x3827.rs.dns-oarc.net.
"Tested at 2010-05-03 19:35:55 UTC"
"12.44.84.213 sent EDNS buffer size 3839"
"12.44.84.213 DNS reply size limit is at least 3827"
-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org
[mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf
Of Peter Laws
Sent: Monday, May 03, 2010 1:16 PM
To: bind-users at isc.org
Subject: Re: Preparing for upcoming DNSSEC changes on 5/5
On 01/-10/37 13:59, Kalman Feher wrote:
>
> Second, make sure the tested effective size appears in your named.conf
in
> the options statement "edns-udp-size" on your resolver.
>
> In your case:
> edns-udp-size 3843;
Mine are all saying "x.x.x.x sent EDNS buffer size 4096" when I run the
dns-oarc.net test, which I assume is the default. I, too, get the 3843
"at
least" value.
Why would I set it to 3843? Wouldn't I want it to be set to 4096 even
if
*some* device between here and dns-oarc.net only allows that smaller
value?
I just woke up to this issue, sorry to say. Interestingly, it didn't
come
up (directly) during the Educause webinar about DNSSEC last week (.edu
will
be signed in July).
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
plaws at ou.edu
-----------------------------------------------------------------------
Feedback? Contact my director, Craig Cochell, craigc at ou.edu. Thank you!
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
More information about the bind-users
mailing list