not all name servers advertise right edns0 size limit?
Mark Andrews
marka at isc.org
Mon Mar 25 00:51:20 UTC 2013
In message <2013032507232012562410 at gmail.com>, "Liu Mingxing" writes:
> Dear,
>
> dig some domain to some resolvers and name servers before find that they
> do not advertise right reply size limit, even though in fact they support
> of sufficient size.
> when the resolver 114.114.114.114 is queried, it return the result as the
> following.
> root at localhost ~# dig @114.114.114.114 com any +dnssec +bufsize=4096
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @114.114.114.114 com any
> +dnssec +bufsize=4096
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10405
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;com. IN ANY
>
> ;; ANSWER SECTION:
> com. 84506 IN RRSIG DNSKEY 8 1 86400
> 20130329182533 20130322182033 30909 com.
> bkJL6r7iv1PLxVSGbJczd2uMvndJA8lFVDPL+hIo08YjRlhD10qnewEW
> uIrCABkPy6xS79hHu3oXMoNjucZ8BdKxgrZf7ZnQ4Iv7IwzSPI62qaWQ
> t7sngLctJqPvxBccRYwfz+R0lv/gELnwvK2XX+xxIgDACMorkdEnzPQh
> utZS/PrhqVpqicyxMIqCssSu2Vphj7Xe7Y+EkNzjUIBXaXbMfHDFPpsv
> 0a2Pkec5BWj8NtKDN9LlCx0KXvwTsl12H9yyWM6AFo1Px968R1wFeYZA
> uqozJYhojx8SQ4mUpnYLby+ABiJIK+Q4XyvL1JhQEATqwYs+co/wBAkz mVgJAQ==
> com. 84506 IN DNSKEY 256 3 8
> AQPcnY9mVa8t+3ab9SsbKjGh38DXxdCZsL0sCdUEzyj1b3nN9BFLolfM
> o7PyfRhOw29YvgwHq1wRB2nRWcOpuUZhgZNOxWqLoOu84KR7HtQmY1yZ
> uSkh9WA6mUDQT+i/7zpUVbtmZqNJm5SuQZFE0hn+N5CMxnXOLOsHJsn6 WvB1sQ==
>
> ;; Query time: 31 msec
> ;; SERVER: 114.114.114.114#53(114.114.114.114)
> ;; WHEN: Sun Mar 24 16:08:01 2013
> ;; MSG SIZE rcvd: 458
114.114.114.114 is not even RFC 1035 compliant as it fails to set
TC=1 if can't add all the records to a RRset to the answer section.
The above answer has a partial RRset for DNSKEY/COM.
> The bufsize option is set in order to tell the resolver open edns0, but
> it ignore it. By using OARC's DNS Reply Size Test
> Server(https://www.dns-oarc.net/oarc/services/replysizetest),
> it is found that the resolver is actually support ends0. Maybe while it
> support edns0, it does not tell this to clients?
That is the way it looks.
> root at localhost ~# dig +short rs.dns-oarc.net txt @114.114.114.114
> rst.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> "Tested at 2013-03-24 22:59:55 UTC"
> "58.217.249.137 sent EDNS buffer size 4096"
> "58.217.249.137 DNS reply size limit is at least 3843"
> Not as the resolver, root give a size that is not the right size it
> support. The edns0 size in the result is 512B while the message size is
> 727B. That is to say, 512 is not right?
> root at localhost ~# dig @a.root-servers.net com any +dnssec +bufsize=4096
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @a.root-servers.net com
> any +dnssec +bufsize=4096
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65447
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;com. IN ANY
> ;; AUTHORITY SECTION:
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> .................
> com. 86400 IN DS 30909 8 2
> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> com. 86400 IN RRSIG DS 8 1 86400
> 20130331000000 20130323230000 40323 .
> N2LWYkOwbv/oecFw3cuE1K7wphnmWzMVVSvRYbgFYUlUxhbCbh1KogVt
> a7uUieHPwXyf6QT56+Au3XfHrwTZzXiy1nHx2tdmAiH/IuAEbyOBPECf
> 5dEeuKWpz6StQbn3OOxBaMauFShANT5gMsrqSvRDURvuOa8cdT7EaMhU ikQ=
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30
> a.gtld-servers.net. 86400 IN A 192.5.6.30
> b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30
> ...............
> ;; Query time: 43 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Sun Mar 24 16:20:17 2013
> ;; MSG SIZE rcvd: 727
a.root-servers.net is a anycast server. They do not want to get
fragmented requests so they are advertising a buffer size that
usually does not result in fragmentation of traffic to the server.
They still honour the clients advertised buffer size when sending
responses.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list