dnssec question. confused.

Mark Andrews marka at isc.org
Wed Sep 28 02:52:29 UTC 2011


In message <798E3CAF2FCC264481D8F75FB3D0BFD91B53899D at MAILMBX10.MAIL.LA.GOV>, Br
ad Bendily writes:
> 
> When trying the DNSSEC check command from:
> https://www.dns-oarc.net/oarc/services/replysizetest
> 
> behind our corporate firewall, I get:
> rst.x476.rs.dns-oarc.net.
> rst.x485.x476.rs.dns-oarc.net.
> rst.x490.x485.x476.rs.dns-oarc.net.
> "Tested at 2011-09-27 20:32:34 UTC"
> "205.172.49.177 sent EDNS buffer size 4096"
> "205.172.49.177 DNS reply size limit is at least 490"
> 
> 
> Which, based on the website tells me our firewall is blocking 
> or filtering EDNS/DNSSEC packets.
>
> However, what I'm confused about is when I run this command:
> dig +dnssec eeoc.gov
> 
> I get:
> 
> ; <<>> DiG 9.7.3-P1 <<>> +dnssec eeoc.gov
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40572
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
> 
	[snipped]
> 
> ;; Query time: 1 msec
> ;; SERVER: 10.120.11.107#53(10.120.11.107)
> ;; WHEN: Tue Sep 27 15:34:07 2011
> ;; MSG SIZE  rcvd: 1726
> 
> 
> Which tells me my DNSSEC queries are working, right?

Not optimally.  Named will work around some firewall breakage by
retrying the queries the time oute with smaller EDNS UDP buffer
size of 512 bytes which allow the response to get through the
firewall.  Often those responses will have TC=1 set so named will
then ask the query again but this time over TCP.  So instead of a
single UDP query and response you end up with multiple UDP queries
and a TCP connection.

You should have your firewall configured to pass EDNS UDP packets
up to 4096 bytes of UDP payload.  The two queries below generate
such a response from the authoritative nameservers and can't be
resolved from behind a firewall that blocks such responses (TCP
fallback will fail).

	dig edns-v4-ok.isc.org txt
	dig edns-v6-ok.isc.org txt

> I noticed in the "OPT PSEUDOSECTION" udp=4096.

Because you were talking to the local recursive nameserver which is also
behind the firewall.

> This started because, as the DNS admin, I was informed today that we could no
> t resolve
> this domain, eeoc.gov. Which was true. As I started digging into it, and perf
> orming a
> dig from an offsite server which was working, I found that the domain "eeoc.g
> ov" is 
> running DNSSEC. So, I assumed the problem was with our firewall blocking or f
> iltering
> the DNSSEC traffic. But then after researching for a few hours, I found we we
> re able
> to resolve the domain, through no changes of DNS. 
> It could be that "datamtn.com", their authoritative NS are performing
> maintenance or something. So, all this research led me to the information abo
> ve.

There could have been many causes.
 
> Are we getting EDNS/DNSSEC responses or no?

Yes but not optimally.

> thanks
> bb
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list