DNSSEC

Linux Addict linuxaddict7 at gmail.com
Thu May 6 00:24:37 UTC 2010


On Wed, May 5, 2010 at 11:53 AM, Warren Kumari <warren at kumari.net> wrote:

>
> On May 4, 2010, at 11:01 AM, Linux Addict wrote:
>
> On Tue, May 4, 2010 at 10:43 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:
>
>> On Tue, May 04, 2010 at 10:27:25AM -0400,
>>  Linux Addict <linuxaddict7 at gmail.com> wrote
>>  a message of 89 lines which said:
>>
>> > lacks EDNS, defaults to 512"
>> > DNS reply size limit is at least 490"
>> > "Tested at 2010-05-04 14:21:02 UTC"
>>
>> You edited the responses (which includes an IP address). Is it the IP
>> address of your resolver? There is may be a forwarder which does not
>> have EDNS.
>>
>> Second possibility, a middlebox mangles your packets and deletes EDNS
>> options.
>>
>>
> Actually that IP was our external NAT. One information I neglected to
> mention is bind forwards to a tinydns appliance which of course does not
> support DNSSEC for obvious reasons.
>
> So what are my options now? Will the internet work for me tomorrow?
>  At least  I have company in Google..
>
> dig +short rs.dns-oarc.net txt @8.8.8.8
> rst.x476.rs.dns-oarc.net.
> rst.x485.x476.rs.dns-oarc.net.
> rst.x490.x485.x476.rs.dns-oarc.net.
> "64.233.168.94 DNS reply size limit is at least 490"
> "64.233.168.94 lacks EDNS, defaults to 512"
> "Tested at 2010-05-04 15:00:07 UTC"
>
>
>
>
> Actually, we do support EDNS0, but usually only advertise larger buffers
> if needed.
>
> For example,  if you retry this with +dnssec you should get:
>
> wkumari at colon:/$ dig +dnssec  +short rs.dns-oarc.net txt @8.8.8.8
> rst.x1247.rs.dns-oarc.net.
> rst.x1257.x1247.rs.dns-oarc.net.
> rst.x1228.x1257.x1247.rs.dns-oarc.net.
> "74.125.44.94 DNS reply size limit is at least 1257"
> "74.125.44.94 sent EDNS buffer size 1280"
> "Tested at 2010-05-05 15:51:16 UTC"
> wkumari at colon:/$
>
>
> W
>
>


thanks for the clarification, I learned that after sometime.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100505/cec8c9f9/attachment.html>


More information about the bind-users mailing list