Problem with ed.gov

Mark Andrews marka at isc.org
Fri Jan 20 01:14:13 UTC 2012 

In message <4F18B4A5.3050402 at rancid.berkeley.edu>, Michael Sinatra writes:
> Please be aware that RFC 2671, which specifies EDNS0, allows for buffer 
> sizes to reach 64k, not just 4k.  Most implementations default to 4k, 
> but the buffer size can easily be set higher.

Which often requires a recompile.  Additionally RFC 2671 also says
DO NOT use the theoretical maximum.  AFAIK no one defaults to more
that 4K at this point.  There is very little benefit, at this point,
in going above 4K.  4K is also the current recommended value.
Additionally even if the resolver supports >4K responses the server
also has to support >4K responses.

Mark

> Moreover, the EDNS0 
> buffer size merely specifies the size where the UDP response becomes 
> truncated and must fall over to TCP.  If you limit UDP responses and 
> also block TCP, you may also someday block legitimate traffic.  At this 
> point it's extremely unlikely, but at one time DNS responses in the 
> range of 1k-2k seemed extremely unlikely...
> 
> michael
> 
> On 01/19/12 12:34, Faehl, Chris wrote:
> > Josh - are you using Cisco firewalls? We've seen problems resolving other
> > .gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
> > size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
> > results and fixed those problems without other operational impact.
> >
> > Chris Faehl
> > Director, Cloud Architecture
> > RightNow Technologies
> >
> > On 1/19/12 12:39 PM, "Baird, Josh"<jbaird at follett.com>  wrote:
> >
> >> Ugly fix, but it does work.  I already had that in place as a "band-aid"
> >> anyways.
> >>
> >> Josh
> >>
> >> -----Original Message-----
> >> From: WBrown at e1b.org [mailto:WBrown at e1b.org]
> >> Sent: Thursday, January 19, 2012 2:36 PM
> >> To: Baird, Josh
> >> Cc: bind-users at lists.isc.org
> >> Subject: Re: Problem with ed.gov
> >>
> >> Josh wrote on 01/19/2012 02:06:05 PM:
> >>
> >>> My resolvers seem to be having problems resolving ed.gov hosts.
> >> Others
> >>> have reported similar problems, but I am having trouble figuring out
> >>> where the problem lies.  Some other resolvers seem to be resolving
> >>> ed.gov correctly.  I am able to query their authoritative servers
> >>> directly from the same network where my resolvers are located.  But,
> >> my
> >>> resolvers are not able to recurse to them.
> >>
> >> [snip]>
> >>> Is anyone else having problems?  Can you spot anything that could be
> >>> preventing my/our resolvers to successfully query this?
> >>>
> >>
> >> Years ago, we had problems with ed.gov.  We added the following to our
> >> config on 2009-08-11 to forward to their name servers:
> >>
> >> zone "ed.gov" {
> >>         type forward;
> >>         forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
> >> 160.109.63.186;
> >>   };
> >> };
> >>
> >> Ugly fix? You bet!  But the problems went away...
> >>
> >> IIRC, we did network sniffs at the perimeter and a bunch of other
> >> troubleshooting to no avail.
> >>
> >>
> >>
> >> Confidentiality Notice:
> >> This electronic message and any attachments may contain confidential or
> >> privileged information, and is intended only for the individual or
> >> entity
> >> identified above as the addressee. If you are not the addressee (or the
> >> employee or agent responsible to deliver it to the addressee), or if
> >> this
> >> message has been addressed to you in error, you are hereby notified that
> >>
> >> you may not copy, forward, disclose or use any part of this message or
> >> any
> >> attachments. Please notify the sender immediately by return e-mail or
> >> telephone and delete this message from your system.
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> >> unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list