Re: Troubleshooting slow DNS lookup
Rianto Wahyudi
You need to mimic the nameserver more closely and turn on +dnssec.
dig +trace +dnssec www.paypal.com
I suspect you have a firewall that is blocking the larger replies +dnssec
produces. Named will work around this by adjustting the queries it makes
but that requires timouts and hence the longer resolution time.
Mark
> --===============2929699010037471745==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Rianto Wahyudi
Mark Andrews
In message <AANLkTikwrkE2MtopsUJ-r...@mail.gmail.com>, Rian
You need to mimic the nameserver more closely and turn on +dnssec.
dig +trace +dnssec www.paypal.com
I suspect you have a firewall that is blocking the larger replies +dnssec
produces. Named will work around this by adjustting the queries it makes
but that requires timouts and hence the longer resolution time.
Mark
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.paypal.com @localhost
> --00163646c12e7eca910495eaeb22
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Hi all,=A0<div><br></div><div>Im trying to troubleshoot and find out the re=
> ason why some of our DNS lookup take =A0a long time :</div><div><br></div><=
> div><br></div><div><div>ns-dev ~ # rndc flushname <a href=3D"http://www.pay=
> pal.com">www.paypal.com</a> ; dig <a href=3D"http://www.paypal.com">www.pay=
> pal.com</a> @localhost</div>
> <div><br></div><div>; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4=
> .2 <<>> <a href=3D"http://www.paypal.com">www.paypal.com</a> @l=
> ocalhost</div><div>;; global options: =A0printcmd</div><div>;; Got answer:<=
> /div>
> <div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29297<=
> /div><div>;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL=
> : 2</div><div><br></div><div>;; QUESTION SECTION:</div><div>;<a href=3D"htt=
> p://www.paypal.com">www.paypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
> =A0 =A0 =A0IN =A0 =A0 =A0A</div>
> <div><br></div><div>;; ANSWER SECTION:</div><div><a href=3D"http://www.payp=
> al.com">www.paypal.com</a>. =A0 =A0 =A0 =A0 300 =A0 =A0 IN =A0 =A0 =A0A =A0=
> =A0 =A0 64.4.241.33</div><div><a href=3D"http://www.paypal.com">www.paypal=
> .com</a>. =A0 =A0 =A0 =A0 300 =A0 =A0 IN =A0 =A0 =A0A =A0 =A0 =A0 64.4.241.=
> 49</div>
> <div><a href=3D"http://www.paypal.com">www.paypal.com</a>. =A0 =A0 =A0 =A0 =
> 300 =A0 =A0 IN =A0 =A0 =A0A =A0 =A0 =A0 66.211.169.2</div><div><a href=3D"h=
> ttp://www.paypal.com">www.paypal.com</a>. =A0 =A0 =A0 =A0 300 =A0 =A0 IN =
> =A0 =A0 =A0A =A0 =A0 =A0 66.211.169.65</div><div><br>
> </div><div>;; AUTHORITY SECTION:</div><div><a href=3D"http://paypal.com">pa=
> ypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 252 =A0 =A0 IN =A0 =A0 =A0NS =A0 =A0 =
> =A0<a href=3D"http://ns2.isc-sns.com">ns2.isc-sns.com</a>.</div><div><a hre=
> f=3D"http://paypal.com">paypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 252 =A0 =A0=
> IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://ns3.isc-sns.info">ns3.isc-sn=
> s.info</a>.</div>
> <div><a href=3D"http://paypal.com">paypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 =
> 252 =A0 =A0 IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://ns1.isc-sns.net">=
> ns1.isc-sns.net</a>.</div><div><br></div><div>;; ADDITIONAL SECTION:</div><=
> div><a href=3D"http://ns3.isc-sns.info">ns3.isc-sns.info</a>. =A0 =A0 =A0 3=
> 559 =A0 =A0IN =A0 =A0 =A0A =A0 =A0 =A0 63.243.194.1</div>
> <div><a href=3D"http://ns3.isc-sns.info">ns3.isc-sns.info</a>. =A0 =A0 =A0 =
> 86352 =A0 IN =A0 =A0 =A0AAAA =A0 =A02001:5a0:10::1</div><div><br></div><div=
> >;; Query time: 5119 msec</div><div>;; SERVER: 127.0.0.1#53(127.0.0.1)</div=
> ><div>;; WHEN: Fri Nov 26 12:05:49 2010</div>
> <div>;; MSG SIZE =A0rcvd: 225</div></div><div><br></div><div>Doing trace :=
> =A0</div><div><br></div><div><div>; <<>> DiG 9.3.6-P1-RedHat-9.=
> 3.6-4.P1.el5_4.2 <<>> <a href=3D"http://www.paypal.com">www.pay=
> pal.com</a> @localhost +trace</div>
> <div>;; global options: =A0printcmd</div><div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0=
> =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://i.=
> root-servers.net">i.root-servers.net</a>.</div><div>. =A0 =A0 =A0 =A0 =A0 =
> =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"ht=
> tp://j.root-servers.net">j.root-servers.net</a>.</div>
> <div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0=
> NS =A0 =A0 =A0<a href=3D"http://k.root-servers.net">k.root-servers.net</a>.=
> </div><div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =
> =A0 =A0NS =A0 =A0 =A0<a href=3D"http://l.root-servers.net">l.root-servers.n=
> et</a>.</div>
> <div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0=
> NS =A0 =A0 =A0<a href=3D"http://m.root-servers.net">m.root-servers.net</a>.=
> </div><div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =
> =A0 =A0NS =A0 =A0 =A0<a href=3D"http://a.root-servers.net">a.root-servers.n=
> et</a>.</div>
> <div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0=
> NS =A0 =A0 =A0<a href=3D"http://b.root-servers.net">b.root-servers.net</a>.=
> </div><div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =
> =A0 =A0NS =A0 =A0 =A0<a href=3D"http://c.root-servers.net">c.root-servers.n=
> et</a>.</div>
> <div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0=
> NS =A0 =A0 =A0<a href=3D"http://d.root-servers.net">d.root-servers.net</a>.=
> </div><div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =
> =A0 =A0NS =A0 =A0 =A0<a href=3D"http://e.root-servers.net">e.root-servers.n=
> et</a>.</div>
> <div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0=
> NS =A0 =A0 =A0<a href=3D"http://f.root-servers.net">f.root-servers.net</a>.=
> </div><div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =
> =A0 =A0NS =A0 =A0 =A0<a href=3D"http://g.root-servers.net">g.root-servers.n=
> et</a>.</div>
> <div>. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 516870 =A0IN =A0 =A0 =A0=
> NS =A0 =A0 =A0<a href=3D"http://h.root-servers.net">h.root-servers.net</a>.=
> </div><div>;; Received 492 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms</div>=
> <div><br></div><div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0I=
> N =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://b.gtld-servers.net">b.gtld-ser=
> vers.net</a>.</div>
> <div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =A0NS=
> =A0 =A0 =A0<a href=3D"http://h.gtld-servers.net">h.gtld-servers.net</a>.</=
> div><div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =
> =A0NS =A0 =A0 =A0<a href=3D"http://f.gtld-servers.net">f.gtld-servers.net</=
> a>.</div>
> <div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =A0NS=
> =A0 =A0 =A0<a href=3D"http://m.gtld-servers.net">m.gtld-servers.net</a>.</=
> div><div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =
> =A0NS =A0 =A0 =A0<a href=3D"http://c.gtld-servers.net">c.gtld-servers.net</=
> a>.</div>
> <div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =A0NS=
> =A0 =A0 =A0<a href=3D"http://e.gtld-servers.net">e.gtld-servers.net</a>.</=
> div><div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =
> =A0NS =A0 =A0 =A0<a href=3D"http://d.gtld-servers.net">d.gtld-servers.net</=
> a>.</div>
> <div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =A0NS=
> =A0 =A0 =A0<a href=3D"http://a.gtld-servers.net">a.gtld-servers.net</a>.</=
> div><div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =
> =A0NS =A0 =A0 =A0<a href=3D"http://g.gtld-servers.net">g.gtld-servers.net</=
> a>.</div>
> <div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =A0NS=
> =A0 =A0 =A0<a href=3D"http://l.gtld-servers.net">l.gtld-servers.net</a>.</=
> div><div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =
> =A0NS =A0 =A0 =A0<a href=3D"http://j.gtld-servers.net">j.gtld-servers.net</=
> a>.</div>
> <div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =A0NS=
> =A0 =A0 =A0<a href=3D"http://i.gtld-servers.net">i.gtld-servers.net</a>.</=
> div><div>com. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0172800 =A0IN =A0 =A0 =
> =A0NS =A0 =A0 =A0<a href=3D"http://k.gtld-servers.net">k.gtld-servers.net</=
> a>.</div>
> <div>;; Received 504 bytes from 192.36.148.17#53(<a href=3D"http://i.root-s=
> ervers.net">i.root-servers.net</a>) in 57 ms</div><div><br></div><div><a hr=
> ef=3D"http://paypal.com">paypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 172800 =A0=
> IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://ns1.isc-sns.net">ns1.isc-sns.=
> net</a>.</div>
> <div><a href=3D"http://paypal.com">paypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 =
> 172800 =A0IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://ns2.isc-sns.com">ns=
> 2.isc-sns.com</a>.</div><div><a href=3D"http://paypal.com">paypal.com</a>. =
> =A0 =A0 =A0 =A0 =A0 =A0 172800 =A0IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"ht=
> tp://ns3.isc-sns.info">ns3.isc-sns.info</a>.</div>
> <div>;; Received 177 bytes from 192.33.14.30#53(<a href=3D"http://b.gtld-se=
> rvers.net">b.gtld-servers.net</a>) in 5498 ms</div><div><br></div><div><a h=
> ref=3D"http://www.paypal.com">www.paypal.com</a>. =A0 =A0 =A0 =A0 300 =A0 =
> =A0 IN =A0 =A0 =A0A =A0 =A0 =A0 66.211.169.65</div>
> <div><a href=3D"http://www.paypal.com">www.paypal.com</a>. =A0 =A0 =A0 =A0 =
> 300 =A0 =A0 IN =A0 =A0 =A0A =A0 =A0 =A0 64.4.241.33</div><div><a href=3D"ht=
> tp://www.paypal.com">www.paypal.com</a>. =A0 =A0 =A0 =A0 300 =A0 =A0 IN =A0=
> =A0 =A0A =A0 =A0 =A0 64.4.241.49</div><div><a href=3D"http://www.paypal.co=
> m">www.paypal.com</a>. =A0 =A0 =A0 =A0 300 =A0 =A0 IN =A0 =A0 =A0A =A0 =A0 =
> =A0 66.211.169.2</div>
> <div><a href=3D"http://paypal.com">paypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 =
> 300 =A0 =A0 IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://ns3.isc-sns.info"=
> >ns3.isc-sns.info</a>.</div><div><a href=3D"http://paypal.com">paypal.com</=
> a>. =A0 =A0 =A0 =A0 =A0 =A0 300 =A0 =A0 IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=
> =3D"http://ns1.isc-sns.net">ns1.isc-sns.net</a>.</div>
> <div><a href=3D"http://paypal.com">paypal.com</a>. =A0 =A0 =A0 =A0 =A0 =A0 =
> 300 =A0 =A0 IN =A0 =A0 =A0NS =A0 =A0 =A0<a href=3D"http://ns2.isc-sns.com">=
> ns2.isc-sns.com</a>.</div><div>;; Received 285 bytes from 72.52.71.1#53(<a =
> href=3D"http://ns1.isc-sns.net">ns1.isc-sns.net</a>) in 174 ms</div>
> </div><div><br></div><div><br></div><div><br></div><div>Version of bind ins=
> talled :=A0bind-9.3.6-4.P1.el5_4.2</div><div>IPv6 has been disabled on the =
> host and firewall turned off during the test.=A0</div><div><br></div><div>A=
> ny toughts ?=A0</div>
> <div><br></div><div>Regards,</div><div><br></div><div>Rianto=A0</div><div><=
> br></div><div><br></div><div><br></div><div><br></div>
>
> --00163646c12e7eca910495eaeb22--
>
> --===============2929699010037471745==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews
In message <AANLkTimZMC4PGNe7N72hn...@mail.gmail.com>, Rian
to Wahyudi writes:
> Hi Mark,
>
> Thanks for the pointers , your are spot on!
>
> Doing dig +trace +dnssec www.paypal.com always fail.
> After some investigation with the network guys, it appear that our upstream
> firewall are dropping DNS UDP packet larger than 512.
> Cisco FWSM have this configuration enabled by default :
>
> http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/i2.htm
> l#wp1565355
So the default is "inspect dns maximum-length 512" if I read that
page correctly. "inspect dns" or as a minimum "inspect dns
maximum-length 4096" will allow reply traffic through for named.
I thought I had heard that Cisco had code which looked for the EDNS
UDP size option and adjusted the maximum length based on that on a
per transaction basis and enforced 512 if there wasn't a EDNS option.
Mark
Kalman Feher
On 26/11/10 5:58 AM, "Mark Andrews" <ma...@isc.org> wrote:
>
> In message <AANLkTimZMC4PGNe7N72hn...@mail.gmail.com>,
> Rian
> to Wahyudi writes:
>> Hi Mark,
>>
>> Thanks for the pointers , your are spot on!
>>
>> Doing dig +trace +dnssec www.paypal.com always fail.
>> After some investigation with the network guys, it appear that our upstream
>> firewall are dropping DNS UDP packet larger than 512.
>> Cisco FWSM have this configuration enabled by default :
>>
>> http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/i2.htm
>> l#wp1565355
>
> So the default is "inspect dns maximum-length 512" if I read that
> page correctly. "inspect dns" or as a minimum "inspect dns
> maximum-length 4096" will allow reply traffic through for named.
>
> I thought I had heard that Cisco had code which looked for the EDNS
> UDP size option and adjusted the maximum length based on that on a
> per transaction basis and enforced 512 if there wasn't a EDNS option.
Yes, but I think its a recent addition to their code.
The Cisco ASA supports:
message-length maximum client auto
This will use the OPT value as the maximum. I know its supported on version
8.3 of ASA software. It might not be supported by the switch modules of the
OP.
>
> Mark
--
Kal Feher
Rianto Wahyudi
in regards to DNS inspection.
So it seems that we are stuck with maximum UDP packet of 512 byte.
Unfortunately, I do not have much evidence (ie user complains) to
escalate this issue much further except from few number of users who
*intermittently* unable to access www.paypal.com.
The term "intermittently" is the main keyword, and because of that the
finger are now point back the the DNS server.
I believe that Increasing the maximum limit or disable inspection will
fix the issue , but I will need to gather sufficient case and
compelling report.
- Does any one have a good example of prominent website that have
DNSEC setup properly other than paypal?
- Any example of dns record that send packet larger than 512 ?
- Any other information I can use to help create the report ?
As a work around I can possibly set EDNS UDP size to match the
firewall limit, but I think this is my last option.
Any help is greatly appreciated!
Regards,
Rianto Wahyudi
Mark Andrews
In message <AANLkTi=T5tj29_GMnGBTPuG8cfYRQpgadr=-yVFw...@mail.gmail.com>, Rian
to Wahyudi writes:
> Our network team are quite reluctant to make any changes on the FWSM
> in regards to DNS inspection.
> So it seems that we are stuck with maximum UDP packet of 512 byte.
>
> Unfortunately, I do not have much evidence (ie user complains) to
> escalate this issue much further except from few number of users who
> *intermittently* unable to access www.paypal.com.
> The term "intermittently" is the main keyword, and because of that the
> finger are now point back the the DNS server.
It's intermittent because it takes named time to workout what will
work with your firewall and the clients timeout in the meantime.
This will only get worse over time.
> I believe that Increasing the maximum limit or disable inspection will
> fix the issue , but I will need to gather sufficient case and
> compelling report.
Standards Track.
RFC 2671 Extension Mechanisms for DNS (EDNS0)
RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements
Informational.
RFC 4294 IPv6 Node Requirements
http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-reply-size-issues
> - Does any one have a good example of prominent website that have
> DNSEC setup properly other than paypal?
How about the root servers?
> - Any example of dns record that send packet larger than 512 ?
The root servers.
dig +dnssec dnskey .
> - Any other information I can use to help create the report ?
>
> As a work around I can possibly set EDNS UDP size to match the
> firewall limit, but I think this is my last option.
>
> Any help is greatly appreciated!
>
> Regards,
> Rianto Wahyudi
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Rianto Wahyudi
Thanks for your quick response !
> Standards Track.
> RFC 2671 Extension Mechanisms for DNS (EDNS0)
> RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements
Unfortunately RFC is not considered as good enough ... unless if we
can find an actual proof that can be replicated :(
I also done some dnssec trace demonstration, and it still not a good
enough reason :
ie : dig www.anyhostname.com +trace +dnssec .
This test always fail and it produce FWSM log entry similar to:
: %FWSM-2-106007: Deny inbound UDP from 198.142.0.51/53 to
10.0.0.1/64788 due to DNS Response
> Informational.
> RFC 4294 IPv6 Node Requirements
>
> http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-reply-size-issues
>
> How about the root servers?
>
>> - Any example of dns record that send packet larger than 512 ?
>
> The root servers.
>
> dig +dnssec dnskey .
This for some reason .... works without any problem :
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec dnskey .
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64905
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 14
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 86400 IN DNSKEY 256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
. 86400 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
;; AUTHORITY SECTION:
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 2592000 IN A 198.41.0.4
b.root-servers.net. 2592000 IN A 192.228.79.201
c.root-servers.net. 2592000 IN A 192.33.4.12
d.root-servers.net. 2592000 IN A 128.8.10.90
e.root-servers.net. 2592000 IN A 192.203.230.10
f.root-servers.net. 2592000 IN A 192.5.5.241
g.root-servers.net. 2592000 IN A 192.112.36.4
h.root-servers.net. 2592000 IN A 128.63.2.53
i.root-servers.net. 2592000 IN A 192.36.148.17
k.root-servers.net. 2592000 IN A 193.0.14.129
a.root-servers.net. 2592000 IN AAAA 2001:503:ba3e::2:30
f.root-servers.net. 2592000 IN AAAA 2001:500:2f::f
h.root-servers.net. 2592000 IN AAAA 2001:500:1::803f:235
;; Query time: 547 msec
Matus UHLAR - fantomas
> > RFC 2671 Extension Mechanisms for DNS (EDNS0)
> > RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements
>
> Unfortunately RFC is not considered as good enough ... unless if we
> can find an actual proof that can be replicated :(
disable dnssec then. If the RFC above is not good enough, DNSSEC isn't as
well. Maybe you will be able to disable some other standards newer than 10
years (2671 is from August 1999) that will make them change their minds.
> > dig +dnssec dnskey .
On 08.12.10 17:51, Rianto Wahyudi wrote:
> This for some reason .... works without any problem :
Check carefully again, if the answer did not start with:
;; Truncated, retrying in TCP mode.
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec dnskey .
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64905
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 14
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;. IN DNSKEY
[...]
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
Mark Andrews
In message <AANLkTimS2mFbib5LPdpqYaRc8Ds1GG4dB7b2tEa=Bn...@mail.gmail.com>, Rian
to Wahyudi writes:
> Hi Mark,
>
> Thanks for your quick response !
>
> > RFC 2671 Extension Mechanisms for DNS (EDNS0)
> ts
>
> Unfortunately RFC is not considered as good enough ... unless if we
> can find an actual proof that can be replicated :(
>
> enough reason :
> ie : dig www.anyhostname.com +trace +dnssec .
> This test always fail and it produce FWSM log entry similar to:
> : %FWSM-2-106007: Deny inbound UDP from 198.142.0.51/53 to
> 10.0.0.1/64788 due to DNS Response
I also suggest that you ask your firewall people to talk to the
CISCO TAC about how to properly configure the firewall for a
nameserver that supports EDNS. The defaults are not setup for a
nameserver that supports EDNS.
If they don't want to do that read what CISCO recommends here:
https://supportforums.cisco.com/message/3221565#3221565
> > Informational.
> > RFC 4294 IPv6 Node Requirements
> >
> > http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-rep=
> ly-size-issues
> >
>
>
> > How about the root servers?
> >
> >> - Any example of dns record that send packet larger than 512 ?
> >
> > The root servers.
> >
> > =A0 =A0 =A0 =A0dig +dnssec dnskey .
>
> This for some reason .... works without any problem :
Well if you ask the root servers ....
dig +dnssec dnskey . @a.root-servers.net
With just "dig +dnssec dnskey ." you are talking to your own server so
are not going through the firewall. You will also notice it took 1/2
a second to get that answer so named did several different attempts in
that 1/2 second.
> ;; Query time: 547 msec
Tony Finch
>
> - Does any one have a good example of prominent website that have
> DNSEC setup properly other than paypal?
; <<>> DiG 9.6.2-P2 <<>> +multiline +dnssec www.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27436
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 11
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cam.ac.uk. IN A
;; ANSWER SECTION:
www.cam.ac.uk. 77902 IN A 131.111.8.46
www.cam.ac.uk. 77902 IN RRSIG A 5 4 86400 20110103030147 (
20101204030850 34770 cam.ac.uk.
m80OuIdqTxhSGGCbpzoksKHjdSyfaS9eALUEE0X7dwnh
Z2jrhoGKaz2snJ3XbRUwebJSNSt7Ej4Mw50buRD77Rlj
kMumdYEmzYDSOewZ93CEE54nVzkGUQWYnVxsK1uRxSYK
vA== )
;; AUTHORITY SECTION:
cam.ac.uk. 4362 IN NS dns0.eng.cam.ac.uk.
cam.ac.uk. 4362 IN NS bitsy.mit.edu.
cam.ac.uk. 4362 IN NS ns2.ic.ac.uk.
cam.ac.uk. 4362 IN NS dns0.cl.cam.ac.uk.
cam.ac.uk. 4362 IN NS authdns1.csx.cam.ac.uk.
cam.ac.uk. 4362 IN NS authdns0.csx.cam.ac.uk.
cam.ac.uk. 4362 IN NS dns1.cl.cam.ac.uk.
cam.ac.uk. 81614 IN RRSIG NS 5 3 86400 20110105004959 (
20101206071226 34770 cam.ac.uk.
XuKl+Pwh7HenDLpOmoIssHE5ZOSug1b9+SLhIEdXtWDb
cB4zViCtCxJFz8yC41feAy5g2w+6Cc9RAiNexZf3E+PU
gQQd+w3UHn5VwNRJroDw4TKMAlsG7LcFvOYuPOKeXyIv
Jw== )
;; ADDITIONAL SECTION:
ns2.ic.ac.uk. 73348 IN A 155.198.142.82
dns0.cl.cam.ac.uk. 14636 IN A 128.232.0.19
dns0.cl.cam.ac.uk. 14636 IN AAAA 2001:630:200:ac70::d:a0
dns0.eng.cam.ac.uk. 162 IN A 129.169.8.8
dns1.cl.cam.ac.uk. 14636 IN A 128.232.0.18
authdns1.csx.cam.ac.uk. 162 IN A 131.111.12.37
authdns1.csx.cam.ac.uk. 162 IN AAAA 2001:630:200:8120::d:a1
ns2.ic.ac.uk. 73348 IN RRSIG A 5 4 86400 20101228214539 (
20101128205350 4743 ic.ac.uk.
VGps8nLXC3hA9vuNKD9K4unAxNeL02U4DQuBe9XRXbgk
OCRRQpgzxSNw8S+MS5H740EiquYCb4GhARRwP32Jpxya
tR+eGlersDIsGZGpH88mZ9zm8kReZaHNTv3+ENU0fDKt
LOou+4SfA+ca7/348PAKmRsR8EA/KpMFm6ofIYs= )
authdns1.csx.cam.ac.uk. 162 IN RRSIG A 5 5 86400 20110104233031 (
20101206031205 34770 cam.ac.uk.
JKDGs3+vXx+OkFGXQ+ZZZllikf4Q1ab9hiteQNthlQ6y
j7nFtg6HvoGqPFT6DicPeMLUCI68GLpWKJcuC+Z8z5IE
pMxnAKAjMKdlHibdRzTCT6JBu+4Q7w0opKo0cEI81i/G
8Q== )
authdns1.csx.cam.ac.uk. 162 IN RRSIG AAAA 5 5 86400 20101225154130 (
20101125184850 34770 cam.ac.uk.
CLGNGErElJOiOufuNl5M3q3rfZWlxxNzCIBHRf6hjuKS
1KfoAdhLuFJCTcYHj7seN0PqHeKi0cniKXIh1KPX9knk
TUrzfxettAcige0vgez7t8HliB3001Xie49hujWYiZvP
/g== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 8 17:17:18 2010
;; MSG SIZE rcvd: 1088
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.