Operators, how do you handle EDNS?

Ray Van Dolson rvandolson at esri.com
Wed Jan 14 02:10:16 UTC 2009 

On Tue, Jan 13, 2009 at 05:00:38PM -0800, Ray Van Dolson wrote:
> On Tue, Jan 13, 2009 at 04:35:46PM -0800, Mark Andrews wrote:
> > 	The number of nameservers that fail to respond to EDNS
> > 	queries is miniscule.  The majority of nameservers on the
> > 	net actually talk EDNS.
> > 
> > 	I suggest that you re-analyse the failures to determine
> > 	their true causes.
> > 
> > 	Mark
> 
> I'd thought we'd ruled this out, but testing again from an OOB server
> confirms what you're saying.
> 
> Will definitely reinvestigate.
> 
> Initially I am getting these in response to my dig queries:
> 
> # dig @130.76.96.65 boeing.com soa +dnssec +norec
> ;; Warning: ID mismatch: expected ID 1582, got 13152
> ;; Warning: ID mismatch: expected ID 1582, got 13152
> ;; Warning: ID mismatch: expected ID 1582, got 13152
> 
> ; <<>> DiG 9.3.5-P2 <<>> @130.76.96.65 boeing.com soa +dnssec +norec
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> I guess our firewall could be tinkering with the request ID's?  Perhaps
> as a result of dnssec being on... hmm.

Thanks Mark.

Alright, I believe the "DNS Scrambling" feature of our firewall could
be causing the issue -- that or scrambling on boeing.com's end.  Maybe
someone can comment...

It seems that the transaction ID's are being changed and so the "Format
Error" packets coming back from boeing are dropped by BIND.  This is
why I see BIND cycling through all their nameservers -- the query
timeout is being triggered.  If the transaction ID's matched correctly,
the Format Error would be processed and the query would be
retransmitted without EDNS correctly.

What I'm trying to figure out is if this is a result of scrambling on
*our* end, the remote end or a combination of both.  Clearly the vast
majority of our queries succeed, but I don't know how exactly our
CheckPoint firewall decides to do its "scrambling" magic, and, of
course no clue on the remote end.

Anyone have any thoughts to add?

Ray

More information about the bind-users mailing list