DLV dnssec setup
Mark Andrews
marka at isc.org
Fri Jul 11 08:47:10 UTC 2014
In message <CALm7FAdeV4eqiAZc2vP=mnPKv4dO3C9YZu2J-LPdiFv8Eb8k6A at mail.gmail.com>
, Wolfgang Rosenauer writes:
> On Fri, Jul 11, 2014 at 1:32 AM, Mark Andrews <marka at isc.org> wrote:
> >
> > Then all of the following should succeed. Please let the
> > list know how you go.
> >
> > dig soa . @198.41.0.4 +norec
> > dig soa . @198.41.0.4 +dnssec +norec
> > dig dnskey . @198.41.0.4 +dnssec +norec
> > dig ds com @198.41.0.4 +dnssec +norec
> > dig com @198.41.0.4 +dnssec +norec
> >
> > dig soa . @198.41.0.4 +tcp +norec
> > dig soa . @198.41.0.4 +dnssec +tcp +norec
> > dig dnskey . @198.41.0.4 +dnssec +tcp +norec
> > dig ds com @198.41.0.4 +dnssec +tcp +norec
> > dig com @198.41.0.4 +dnssec +tcp +norec
> >
> > dig dnskey org +dnssec @199.19.56.1 +ignore +norec
> > dig dnskey org +dnssec @199.19.56.1 +tcp +norec
>
> All but one request succeeded:
> s15418965:~ # dig dnskey org +dnssec @199.19.56.1 +ignore +norec
>
> ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> dnskey org +dnssec @199.19.56.1
> +ignore +norec
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
Which requires fragmented UDP to be passed by the firewall. The
rest of the test udp responses will all fit in a ethernet frame.
Test with
dig dnskey org +dnssec @199.19.56.1 +ignore +norec +bufsize=1432
Then set "edns-udp-size 1432;" in named.conf until you can get the firewall
fixed. This size allows for 4in6 and 6in4 encapuslations w/o fragmentation.
> I've captured with tcpdump (filter on port 53) and there were 3
> queries but no single reply packet.
> IP is reachable though.
> s15418965:~ # ping 199.19.56.1
> PING 199.19.56.1 (199.19.56.1) 56(84) bytes of data.
> 64 bytes from 199.19.56.1: icmp_seq=1 ttl=55 time=130 ms
>
>
> Wolfgang
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list