Resolving .gov w/dnssec
Casey Deccio
casey at deccio.net
Thu Apr 22 22:22:05 UTC 2010
On Thu, Apr 22, 2010 at 11:36 AM, Michael Sinatra <
michael at rancid.berkeley.edu> wrote:
> But it doesn't contain the RRSIGs for the DNSKEY. 'dig +norec +cdflag
> dnskey uspto.gov @dns1.uspto.gov' does not contain RRSIGs so it is only
> 1131 bytes. A non-EDNS0 query will receive the TC bit and will retry in
> TCP. 'dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov' has a response
> that includes the RRSIGs and is 1736 bytes, which on most ethernets will
> cause UDP fragmentation. I get a timeout when using dig with +dnssec and
> without +vc. However, 'dig +bufsize=1024 +dnssec +norec dnskey uspto.gov@
> dns1.uspto.gov' which sets an EDNS0 buffer size of 1024, does get a
> response, after retrying in TCP mode.
>
> In other words, uspto.gov's DNS servers and network are able to send
> responses longer than 512 bytes, but if the response is longer than 1500
> bytes, something in the network between those DNS servers and the rest of us
> is blocking the UDP fragments.
>
>
Actually, what seems interesting to me is that the cutoff seems to be at a
payload size of 1736, which happens to be the exact size of the complete
response. Is this just coincidence?
$ dig +bufsize=1735 +dnssec @dns1.uspto.gov uspto.gov dnskey
;; Truncated, retrying in TCP mode.
$ dig +bufsize=1736 +dnssec @dns1.uspto.gov uspto.gov dnskey
; <<>> DiG 9.6.1-P3 <<>> +bufsize=1736 +dnssec @dns1.uspto.gov uspto.govdnskey
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100422/c7f8470c/attachment.html>
More information about the bind-users
mailing list