Problem with ed.gov
Michael Sinatra
michael at rancid.berkeley.edu
Fri Jan 20 00:26:13 UTC 2012
Please be aware that RFC 2671, which specifies EDNS0, allows for buffer
sizes to reach 64k, not just 4k. Most implementations default to 4k,
but the buffer size can easily be set higher. Moreover, the EDNS0
buffer size merely specifies the size where the UDP response becomes
truncated and must fall over to TCP. If you limit UDP responses and
also block TCP, you may also someday block legitimate traffic. At this
point it's extremely unlikely, but at one time DNS responses in the
range of 1k-2k seemed extremely unlikely...
michael
On 01/19/12 12:34, Faehl, Chris wrote:
> Josh - are you using Cisco firewalls? We've seen problems resolving other
> .gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
> size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
> results and fixed those problems without other operational impact.
>
> Chris Faehl
> Director, Cloud Architecture
> RightNow Technologies
>
> On 1/19/12 12:39 PM, "Baird, Josh"<jbaird at follett.com> wrote:
>
>> Ugly fix, but it does work. I already had that in place as a "band-aid"
>> anyways.
>>
>> Josh
>>
>> -----Original Message-----
>> From: WBrown at e1b.org [mailto:WBrown at e1b.org]
>> Sent: Thursday, January 19, 2012 2:36 PM
>> To: Baird, Josh
>> Cc: bind-users at lists.isc.org
>> Subject: Re: Problem with ed.gov
>>
>> Josh wrote on 01/19/2012 02:06:05 PM:
>>
>>> My resolvers seem to be having problems resolving ed.gov hosts.
>> Others
>>> have reported similar problems, but I am having trouble figuring out
>>> where the problem lies. Some other resolvers seem to be resolving
>>> ed.gov correctly. I am able to query their authoritative servers
>>> directly from the same network where my resolvers are located. But,
>> my
>>> resolvers are not able to recurse to them.
>>
>> [snip]>
>>> Is anyone else having problems? Can you spot anything that could be
>>> preventing my/our resolvers to successfully query this?
>>>
>>
>> Years ago, we had problems with ed.gov. We added the following to our
>> config on 2009-08-11 to forward to their name servers:
>>
>> zone "ed.gov" {
>> type forward;
>> forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
>> 160.109.63.186;
>> };
>> };
>>
>> Ugly fix? You bet! But the problems went away...
>>
>> IIRC, we did network sniffs at the perimeter and a bunch of other
>> troubleshooting to no avail.
>>
>>
>>
>> Confidentiality Notice:
>> This electronic message and any attachments may contain confidential or
>> privileged information, and is intended only for the individual or
>> entity
>> identified above as the addressee. If you are not the addressee (or the
>> employee or agent responsible to deliver it to the addressee), or if
>> this
>> message has been addressed to you in error, you are hereby notified that
>>
>> you may not copy, forward, disclose or use any part of this message or
>> any
>> attachments. Please notify the sender immediately by return e-mail or
>> telephone and delete this message from your system.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list