Problems after upgrade to 9.10.4

Michael Brunnbauer brunni at netestate.de
Fri May 6 15:34:17 UTC 2016 

Hello Mukund,

On Fri, May 06, 2016 at 07:01:22PM +0530, Mukund Sivaraman wrote:
> These queries are sent by 81.209.177.155 to 192.12.94.30 with UDP
> payload size set to 512. This caused the reply to be truncated:
> 
> [muks at jurassic ~]$ dig +bufsize=512 +dnssec @192.12.94.30 -t A foaf-search.net.
> ;; Truncated, retrying in TCP mode.
> 
> Why is the UDP payload size advertised as 512? Some previous timeout or
> configuration caused it to be so. Check earlier logs.

I cannot find the cause. My dump covers ca. 8 hours with 11 UDP requests to 
192.12.94.30 and all have UDPsize=512. But I just did a few tests with the
isc.org name servers and UDPsize is successfully increased to 4096 after the
initial default of 512:

17:08:53.982931 IP (tos 0x0, ttl 64, id 23755, offset 0, flags [none], proto UDP (17), length 69)
    81.209.177.155.47866 > 199.254.63.254.53: [bad udp cksum 0x0bac -> 0x43fa!] 30601 [1au] A? www5.isc.org. ar: . OPT UDPsize=4096 OK (41)
17:08:53.995468 IP (tos 0x0, ttl 58, id 63088, offset 0, flags [none], proto UDP (17), length 723)
    199.254.63.254.53 > 81.209.177.155.47866: [udp sum ok] 30601 NXDomain*- q: A? www5.isc.org. 0/6/1 ns: isc.org. [1h] SOA ns-int.isc.org. hostmaster.isc.org. 2016050401 7200 3600 24796800 3600, isc.org. [1h] RRSIG, isc.org. [1h] NSEC, isc.org. [1h] RRSIG, www-test.isc.org. [1h] NSEC, www-test.isc.org. [1h] RRSIG ar: . OPT UDPsize=4096 OK (695)

I discovered 7 free UDP ports above 1023 that were blocked by iptables on that
host. This caused ca. 1-2 UDP replies to bind to be blocked per day. After my
upgrade to bind 9.10.4 (when the problems started), no UDP reply from 
192.12.94.30 was blocked and no EDNS related messages from bind can be found
in the syslog. 

> Try querying the
> TLD NS directly with +bufsize=4096 to see if there are any issues in
> getting replies to your network.

This works:

17:23:18.933075 IP (tos 0x0, ttl 64, id 47659, offset 0, flags [none], proto UDP (17), length 72)
    81.209.177.155.38738 > 192.12.94.30.53: [bad udp cksum 0x21dd -> 0x5e85!] 53886+ [1au] A? foaf-search.net. ar: . OPT UDPsize=4096 OK (44)
17:23:18.967569 IP (tos 0x0, ttl 52, id 28309, offset 0, flags [none], proto UDP (17), length 604)
    192.12.94.30.53 > 81.209.177.155.38738: [udp sum ok] 53886- q: A? foaf-search.net. 0/6/1 ns: foaf-search.net. [2d] NS ns.netestate.de., foaf-search.net. [2d] NS ns1.netestate.de., A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. [1d] Type50, A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. [1d] RRSIG, MI79E5R1F40QCUPOIBCU93AR486VI70V.net. [1d] Type50, MI79E5R1F40QCUPOIBCU93AR486VI70V.net. [1d] RRSIG ar: . OPT UDPsize=4096 OK (576)

cu,
brunni

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail brunni at netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160506/30120f76/attachment.bin>

More information about the bind-users mailing list