Strange CNAME issue
Mark Andrews
marka at isc.org
Fri Jan 22 01:34:43 UTC 2010
In message <A9981203-CA2A-4BA2-B95B-08D992178344 at mellmo.com>, seren writes:
>
> Thanks for your response. I didn't know about the +trace option in dig. =
> After some more searching, I believe you are correct about the long =
> responses being related. The responses that fail all seem to exceed =
> 512-bytes. Why this would happen in multiple locations is a mystery but =
> perhaps our firewalls are configured similarly. I'll look into the =
> firewall settings on my end, but since there may be other devices out =
> there configured similarly I'll need to try and reduce my CNAMES to find =
> into a 512-byte response or switch them to A records.
>
> -seren
Some filewall vendors / operators think that all UDP DNS responses
are <= 512 bytes of payload. This has not be the case offically
for over a decade now with EDNS, and was never one in practice as
there have always been servers that sent larger responses as long
as I've been working with DNS, ~20 years now.
Some filewall vendors / operators think that TCP DNS is only used
for AXFR. This has *never* been the case.
One or both of these may be the problem.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list