Problems with EDNS0
Breno Silveira Soares
breno.soares at serpro.gov.br
Tue Jul 21 19:56:39 UTC 2009
Mark Andrews escreveu:
> You think there isn't a firewall. There is something in the path
> that is blocking responses. When you find it can you please inform
> the manufacture that there produce is broken and you would like it
> fixed. FORMERR is part of the base DNS specification and shouldn't
> be filtered.
>
What I don't understand is: the FORMERR response is a normal UDP packet, ok?
What could filter this packet?
>> Queries to Akamai servers doesn't work with EDNS. To resolve this
>> problem I configure bind with directive "server <IP> { edns no; };", but
>> isn't a good solution.
>> From my server, some queries with EDNS works and some doesn't.
>>
>
> The Akamai do respond to EDNS queries.
> Here is what you should be seeing. It looks like something is
> filtering out the FORMERR responses. Almost all of the above log
> messages are for zones where FORMERR is returned. Responses from
> EDNS aware servers are getting back.
>
> B.T.W. you should use 512 not as the buffer size 500.
>
> drugs:dnssec 13:10 {1669} % dig @n0g.akamai.net a961.g.akamai.net +bufsize=512
>
> ; <<>> DiG 9.3.6-P1 <<>> @n0g.akamai.net a961.g.akamai.net +bufsize=512
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 52294
> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; Query time: 11 msec
> ;; SERVER: 60.254.186.21#53(60.254.186.21)
> ;; WHEN: Tue Jul 21 13:10:50 2009
> ;; MSG SIZE rcvd: 12
>
> drugs:dnssec 13:10 {1670} %
>
> Mark
My server gets responses with EDNS from some NS in Internet, with UDP
packet > 512 bytes,
e.g: "dig @a.dns.br br dnskey +dnssec +bufsize=2500"
So it's not firewall problem, Am I correct ?
From my server, dig to Akamai with EDNS (+bufsize=512) doesn't get
FORMERR message, dig return "connection timed out; no servers could be
reached".
What could be the reason ?
Thanks for your reply.
--
Ats,
Breno S. Soares
Analista de Redes
SERPRO/SUPRE/REBHE
Tel: (31) 3311-6825
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090721/0b0ea6ad/attachment.html>
More information about the bind-users
mailing list