Troubleshooting slow DNS lookup
Rianto Wahyudi
me at rwahyudi.com
Wed Dec 8 06:51:02 UTC 2010
Hi Mark,
Thanks for your quick response !
> Standards Track.
> RFC 2671 Extension Mechanisms for DNS (EDNS0)
> RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements
Unfortunately RFC is not considered as good enough ... unless if we
can find an actual proof that can be replicated :(
I also done some dnssec trace demonstration, and it still not a good
enough reason :
ie : dig www.anyhostname.com +trace +dnssec .
This test always fail and it produce FWSM log entry similar to:
: %FWSM-2-106007: Deny inbound UDP from 198.142.0.51/53 to
10.0.0.1/64788 due to DNS Response
> Informational.
> RFC 4294 IPv6 Node Requirements
>
> http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-reply-size-issues
>
> How about the root servers?
>
>> - Any example of dns record that send packet larger than 512 ?
>
> The root servers.
>
> dig +dnssec dnskey .
This for some reason .... works without any problem :
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec dnskey .
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64905
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 14
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 86400 IN DNSKEY 256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
. 86400 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
;; AUTHORITY SECTION:
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 2592000 IN A 198.41.0.4
b.root-servers.net. 2592000 IN A 192.228.79.201
c.root-servers.net. 2592000 IN A 192.33.4.12
d.root-servers.net. 2592000 IN A 128.8.10.90
e.root-servers.net. 2592000 IN A 192.203.230.10
f.root-servers.net. 2592000 IN A 192.5.5.241
g.root-servers.net. 2592000 IN A 192.112.36.4
h.root-servers.net. 2592000 IN A 128.63.2.53
i.root-servers.net. 2592000 IN A 192.36.148.17
k.root-servers.net. 2592000 IN A 193.0.14.129
a.root-servers.net. 2592000 IN AAAA 2001:503:ba3e::2:30
f.root-servers.net. 2592000 IN AAAA 2001:500:2f::f
h.root-servers.net. 2592000 IN AAAA 2001:500:1::803f:235
;; Query time: 547 msec
More information about the bind-users
mailing list