DLV dnssec setup

Wolfgang Rosenauer wrosenauer at gmail.com
Fri Jul 11 09:27:29 UTC 2014 

Hello all,

first let me thank you for your patience.


On Fri, Jul 11, 2014 at 10:47 AM, Mark Andrews <marka at isc.org> wrote:
>
> In message <CALm7FAdeV4eqiAZc2vP=mnPKv4dO3C9YZu2J-LPdiFv8Eb8k6A at mail.gmail.com>
> , Wolfgang Rosenauer writes:
>> All but one request succeeded:
>> s15418965:~ # dig dnskey org +dnssec @199.19.56.1 +ignore +norec
>>
>> ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> dnskey org +dnssec @199.19.56.1
>> +ignore +norec
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>
> Which requires fragmented UDP to be passed by the firewall.  The
> rest of the test udp responses will all fit in a ethernet frame.
>
> Test with
>
>         dig dnskey org +dnssec @199.19.56.1 +ignore +norec +bufsize=1432

seems to work:
s15418965:/var/lib/named/log # dig dnskey org +dnssec @199.19.56.1
+ignore +norec +bufsize=1432

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> dnskey org +dnssec @199.19.56.1
+ignore +norec +bufsize=1432
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21075
;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org.                           IN      DNSKEY

;; Query time: 131 msec
;; SERVER: 199.19.56.1#53(199.19.56.1)
;; WHEN: Fri Jul 11 11:19:15 CEST 2014
;; MSG SIZE  rcvd: 32


> Then set "edns-udp-size 1432;" in named.conf until you can get the firewall
> fixed.  This size allows for 4in6 and 6in4 encapuslations w/o fragmentation.

done that and basic resolution still is broken :-(

s15418965:/var/lib/named/log # dig @127.0.0.1 isc.org

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> @127.0.0.1 isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20035
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;isc.org.                       IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 11 11:19:58 CEST 2014
;; MSG SIZE  rcvd: 36

I'm running out of ideas.
Meanwhile I've confirmed that the same setup and software versions
work on another hosted machine (bare metal, different hoster) so I
really agree it is some strange network setup. I'll ask the provider
again what's wrong but I'm really lost why I can ask an external bind
successfully while my own one still does not get the reply back.


Wolfgang

More information about the bind-users mailing list