Problem with ed.gov

Warren Kumari warren at kumari.net
Fri Jan 20 02:50:27 UTC 2012 

On Jan 19, 2012, at 8:14 PM, Mark Andrews wrote:

> 
> In message <4F18B4A5.3050402 at rancid.berkeley.edu>, Michael Sinatra writes:
>> Please be aware that RFC 2671, which specifies EDNS0, allows for buffer 
>> sizes to reach 64k, not just 4k.  Most implementations default to 4k, 
>> but the buffer size can easily be set higher.
> 
> Which often requires a recompile.  Additionally RFC 2671 also says
> DO NOT use the theoretical maximum.  AFAIK no one defaults to more
> that 4K at this point.  There is very little benefit, at this point,
> in going above 4K.  4K is also the current recommended value.
> Additionally even if the resolver supports >4K responses the server
> also has to support >4K responses.

Yes, but my concern here is that "DNS responses can *never* be bigger than 4k" gets baked into the public consciousness, just like "DNS packets can never be bigger than 512 bytes" seemed to be…
One day, 10 years from now shiny new extension is going to have deployment issues because the firewall monkeys have configured yet another limit….

W



> 
> Mark
> 
>> Moreover, the EDNS0 
>> buffer size merely specifies the size where the UDP response becomes 
>> truncated and must fall over to TCP.  If you limit UDP responses and 
>> also block TCP, you may also someday block legitimate traffic.  At this 
>> point it's extremely unlikely, but at one time DNS responses in the 
>> range of 1k-2k seemed extremely unlikely...
>> 
>> michael
>> 
>> On 01/19/12 12:34, Faehl, Chris wrote:
>>> Josh - are you using Cisco firewalls? We've seen problems resolving other
>>> .gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
>>> size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
>>> results and fixed those problems without other operational impact.
>>> 
>>> Chris Faehl
>>> Director, Cloud Architecture
>>> RightNow Technologies
>>> 
>>> On 1/19/12 12:39 PM, "Baird, Josh"<jbaird at follett.com>  wrote:
>>> 
>>>> Ugly fix, but it does work.  I already had that in place as a "band-aid"
>>>> anyways.
>>>> 
>>>> Josh
>>>> 
>>>> -----Original Message-----
>>>> From: WBrown at e1b.org [mailto:WBrown at e1b.org]
>>>> Sent: Thursday, January 19, 2012 2:36 PM
>>>> To: Baird, Josh
>>>> Cc: bind-users at lists.isc.org
>>>> Subject: Re: Problem with ed.gov
>>>> 
>>>> Josh wrote on 01/19/2012 02:06:05 PM:
>>>> 
>>>>> My resolvers seem to be having problems resolving ed.gov hosts.
>>>> Others
>>>>> have reported similar problems, but I am having trouble figuring out
>>>>> where the problem lies.  Some other resolvers seem to be resolving
>>>>> ed.gov correctly.  I am able to query their authoritative servers
>>>>> directly from the same network where my resolvers are located.  But,
>>>> my
>>>>> resolvers are not able to recurse to them.
>>>> 
>>>> [snip]>
>>>>> Is anyone else having problems?  Can you spot anything that could be
>>>>> preventing my/our resolvers to successfully query this?
>>>>> 
>>>> 
>>>> Years ago, we had problems with ed.gov.  We added the following to our
>>>> config on 2009-08-11 to forward to their name servers:
>>>> 
>>>> zone "ed.gov" {
>>>>        type forward;
>>>>        forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
>>>> 160.109.63.186;
>>>>  };
>>>> };
>>>> 
>>>> Ugly fix? You bet!  But the problems went away...
>>>> 
>>>> IIRC, we did network sniffs at the perimeter and a bunch of other
>>>> troubleshooting to no avail.
>>>> 
>>>> 
>>>> 
>>>> Confidentiality Notice:
>>>> This electronic message and any attachments may contain confidential or
>>>> privileged information, and is intended only for the individual or
>>>> entity
>>>> identified above as the addressee. If you are not the addressee (or the
>>>> employee or agent responsible to deliver it to the addressee), or if
>>>> this
>>>> message has been addressed to you in error, you are hereby notified that
>>>> 
>>>> you may not copy, forward, disclose or use any part of this message or
>>>> any
>>>> attachments. Please notify the sender immediately by return e-mail or
>>>> telephone and delete this message from your system.
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> unsubscribe from this list
>>>> 
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> 
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
>> be from this list
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 


---
Don't be impressed with unintelligible stuff said condescendingly .
    -- Radia Perlman.

Warren Kumari
warren at kumari.net

More information about the bind-users mailing list