Resolving .gov w/dnssec
Michael Sinatra
michael at rancid.berkeley.edu
Fri Apr 23 17:43:29 UTC 2010
On 04/22/10 18:48, Timothe Litt wrote:
> I get a "connection timed out; no servers could be reached" after the
> "Truncated, retrying in TCP mode" even with +bufsiz=512
I get a correct response when I use +bufsiz=512. After "Truncated,
retrying in TCP mode" I get a response, but apparently you don't.
> I am not blocking tcp/53. In fact, telnet dns1.uspto.gov 53 will happily
> establish a connection :-) I'm on a fiber (Verizon FiOS business)
> circuit - given that others are seeing this over a wide geography, seems
> like the investigation needs to start closer to the .gov servers...
Certainly for the UDP fragmentation issue that's true. Everyone seems
to be having that problem. But you seem to be the only one having the
problem where you can't receive TCP even if you set a low bufsize. I
can fallback to TCP just fine as long as I set a low bufsize.
> If you're into numerology, 1736 is 1500 + 236 -- with a 20 byte header
> on the 236, you get 256 for the fragement - which is mildly curious.
> Folks on DSL should remember that their magic number is less than 1500
> bytes (1492 is common, as is 1453).
...which makes me think that there is a PMTUD issue in your situation.
You can establish a TCP connection, but perhaps you receive a larger
packet than you can actually receive and you can't signal that you can't
receive such a packet because someone is blocking ICMP on the path
between you and uspto.gov. Only a packet trace will even begin to yield
some clues there.
*If* that's true, that, combined with the UDP fragment blockage just
makes me think: "My, how we've gunked up the Internet."
michael
More information about the bind-users
mailing list