Operators, how do you handle EDNS?
Mark Andrews
Mark_Andrews at isc.org
Wed Jan 14 03:47:41 UTC 2009
In message <20090114021016.GA24625 at esri.com>, Ray Van Dolson writes:
> On Tue, Jan 13, 2009 at 05:00:38PM -0800, Ray Van Dolson wrote:
> > On Tue, Jan 13, 2009 at 04:35:46PM -0800, Mark Andrews wrote:
> > > The number of nameservers that fail to respond to EDNS
> > > queries is miniscule. The majority of nameservers on the
> > > net actually talk EDNS.
> > >
> > > I suggest that you re-analyse the failures to determine
> > > their true causes.
> > >
> > > Mark
> >
> > I'd thought we'd ruled this out, but testing again from an OOB server
> > confirms what you're saying.
> >
> > Will definitely reinvestigate.
> >
> > Initially I am getting these in response to my dig queries:
> >
> > # dig @130.76.96.65 boeing.com soa +dnssec +norec
> > ;; Warning: ID mismatch: expected ID 1582, got 13152
> > ;; Warning: ID mismatch: expected ID 1582, got 13152
> > ;; Warning: ID mismatch: expected ID 1582, got 13152
> >
> > ; <<>> DiG 9.3.5-P2 <<>> @130.76.96.65 boeing.com soa +dnssec +norec
> > ; (1 server found)
> > ;; global options: printcmd
> > ;; connection timed out; no servers could be reached
> >
> > I guess our firewall could be tinkering with the request ID's? Perhaps
> > as a result of dnssec being on... hmm.
>
> Thanks Mark.
>
> Alright, I believe the "DNS Scrambling" feature of our firewall could
> be causing the issue -- that or scrambling on boeing.com's end. Maybe
> someone can comment...
>
> It seems that the transaction ID's are being changed and so the "Format
> Error" packets coming back from boeing are dropped by BIND. This is
> why I see BIND cycling through all their nameservers -- the query
> timeout is being triggered. If the transaction ID's matched correctly,
> the Format Error would be processed and the query would be
> retransmitted without EDNS correctly.
>
> What I'm trying to figure out is if this is a result of scrambling on
> *our* end, the remote end or a combination of both. Clearly the vast
> majority of our queries succeed, but I don't know how exactly our
> CheckPoint firewall decides to do its "scrambling" magic, and, of
> course no clue on the remote end.
>
> Anyone have any thoughts to add?
100% your end.
>
> Ray
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list