Troubleshooting slow DNS lookup

Rianto Wahyudi me at rwahyudi.com
Wed Dec 8 06:51:02 UTC 2010 

Hi Mark,

Thanks for your quick response !

> Standards Track.
> RFC 2671 Extension Mechanisms for DNS (EDNS0)
> RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements

Unfortunately RFC is not considered as good enough ... unless if we
can find an actual proof that can be replicated :(

I also done some dnssec trace demonstration, and it still not a good
enough reason :
ie : dig www.anyhostname.com +trace +dnssec .
This test always fail and it produce FWSM log entry similar to:
: %FWSM-2-106007: Deny inbound UDP from 198.142.0.51/53 to
10.0.0.1/64788 due to DNS Response



> Informational.
> RFC 4294 IPv6 Node Requirements
>
> http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-reply-size-issues
>


> How about the root servers?
>
>> - Any example of dns record that send packet larger than 512 ?
>
> The root servers.
>
>        dig +dnssec dnskey .

This for some reason .... works without any problem  :


; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec dnskey .
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64905
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       86400   IN      DNSKEY  256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
.                       86400   IN      DNSKEY  257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

;; AUTHORITY SECTION:
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     2592000 IN      A       198.41.0.4
b.root-servers.net.     2592000 IN      A       192.228.79.201
c.root-servers.net.     2592000 IN      A       192.33.4.12
d.root-servers.net.     2592000 IN      A       128.8.10.90
e.root-servers.net.     2592000 IN      A       192.203.230.10
f.root-servers.net.     2592000 IN      A       192.5.5.241
g.root-servers.net.     2592000 IN      A       192.112.36.4
h.root-servers.net.     2592000 IN      A       128.63.2.53
i.root-servers.net.     2592000 IN      A       192.36.148.17
k.root-servers.net.     2592000 IN      A       193.0.14.129
a.root-servers.net.     2592000 IN      AAAA    2001:503:ba3e::2:30
f.root-servers.net.     2592000 IN      AAAA    2001:500:2f::f
h.root-servers.net.     2592000 IN      AAAA    2001:500:1::803f:235

;; Query time: 547 msec

More information about the bind-users mailing list