Bind, dnssec, udp fragmentation woes.
Mark Andrews
marka at isc.org
Fri Oct 2 03:22:29 UTC 2009
You really want to work out what is being blocked, EDNS?, responses
bigger that 512 bytes? DNSSEC? fragmented responses? With a clean
path all of these should succeed but only the last one won't have
"tc" set. This does a plain DNS query, a EDNS query that limits
the response to 512 bytes, a DNSSEC query that limits the response
to 512 bytes, a DNSSEC query that limits the response to something
that would not normally be fragmented but exceeds 512 bytes, a
DNSSEC query that will normally be fragmented.
% dig soa se @192.36.133.107 +norec +ignore
% dig soa se @192.36.133.107 +norec +ignore +bufsize=512
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 +dnssec
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec
Named does the following by default. Ensure you have a up to date
version of namesd
dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec
dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec
dig dnskey se @192.36.133.107 +norec +ignore
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list