Issue running "dig txt rs.dns-oarc.net" on 9.12
Cathy Almond
cathya at isc.org
Mon Jan 29 10:51:24 UTC 2018
The DNS-OARC reply size tester doesn't work with versions of BIND that
are 9.10 and newer. This is because of the new probing process that we
implemented that should be more resilient. But it does unfortunately
'break' getting sane results from the DNS-OARC reply size tester.
https://www.dns-oarc.net/oarc/services/replysizetest
(which does now contain as link to the article below)
https://kb.isc.org/article/AA-01350/0/Testing-authoritative-server-support-for-EDNS-and-large-UDP-buffer-sizes-in-BIND-9.10.html
But as for why you're not getting responses at all - that'd be something
else.
On 28/01/2018 00:32, Matthew Pounsett wrote:
>
>
> On 27 January 2018 at 19:11, Matthew Pounsett <matt at conundrum.com
> <mailto:matt at conundrum.com>> wrote:
>
> The only thing I can think of that has changed in that time, which
> has ever caused me query issues, is the addition of DNS cookies in
> the default query. Some broken authoritative servers will
> incorrectly respond with things like FORMERR when they see an EDNS
> option they don't recognize. I doubt DNS-OARC is running such a
> name server, but I haven't looked to see.
>
> Serves me right for not actually going any looking at this sooner.. and
> for some reason I failed to recognize the name when I saw it.
> rs.dns-oarc.net <http://rs.dns-oarc.net> is the DNS-OARC response size
> tester. The server synthesizes a series of large responses via a CNAME
> chain when you look up that TXT record, designed to test your recursive
> server's ability to handle large responses. I'm getting similar failure
> behaviour from Google Public DNS that you're seeing in 9.12, but I'm not
> seeing it from my 9.11 recursive server (it works on the first try).
>
>
> ; <<>> DiG 9.11.2 <<>> IN TXT rs.dns-oarc.net <http://rs.dns-oarc.net>
> @8.8.8.8 <http://8.8.8.8>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63546
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;rs.dns-oarc.net <http://rs.dns-oarc.net>.INTXT
>
> ;; Query time: 4373 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Sat Jan 27 19:20:21 EST 2018
> ;; MSG SIZE rcvd: 44
>
>
> ; <<>> DiG 9.11.2 <<>> IN TXT rs.dns-oarc.net <http://rs.dns-oarc.net>
> @8.8.8.8 <http://8.8.8.8>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29585
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;rs.dns-oarc.net <http://rs.dns-oarc.net>.INTXT
>
> ;; ANSWER SECTION:
> rs.dns-oarc.net
> <http://rs.dns-oarc.net>.1INCNAMErst.x4090.rs.dns-oarc.net
> <http://rst.x4090.rs.dns-oarc.net>.
> rst.x4090.rs.dns-oarc.net <http://rst.x4090.rs.dns-oarc.net>.
> 58INCNAMErst.x4058.x4090.rs.dns-oarc.net
> <http://rst.x4058.x4090.rs.dns-oarc.net>.
> rst.x4058.x4090.rs.dns-oarc.net
> <http://rst.x4058.x4090.rs.dns-oarc.net>. 57
> INCNAMErst.x4064.x4058.x4090.rs.dns-oarc.net
> <http://rst.x4064.x4058.x4090.rs.dns-oarc.net>.
> rst.x4064.x4058.x4090.rs.dns-oarc.net
> <http://rst.x4064.x4058.x4090.rs.dns-oarc.net>. 56 IN TXT "74.125.179.74
> DNS reply size limit is at least 4090"
> rst.x4064.x4058.x4090.rs.dns-oarc.net
> <http://rst.x4064.x4058.x4090.rs.dns-oarc.net>. 56 IN TXT "74.125.179.74
> sent EDNS buffer size 4096"
> rst.x4064.x4058.x4090.rs.dns-oarc.net
> <http://rst.x4064.x4058.x4090.rs.dns-oarc.net>. 56 IN TXT "Tested at
> 2018-01-28 00:21:16 UTC"
>
> ;; Query time: 857 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Sat Jan 27 19:21:16 EST 2018
> ;; MSG SIZE rcvd: 279
>
> If you want to understand why your resolver is failing, again I'd have a
> look at the 'resolver' log channel. It should have some detail about
> what's resulting in the SERVFAIL message.
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list