Mark Andrews escreveu:
You think there isn't a firewall. There is something in the path
that is blocking responses. When you find it can you please inform
the manufacture that there produce is broken and you would like it
fixed. FORMERR is part of the base DNS specification and shouldn't
be filtered.
What I don't understand is: the FORMERR response is a normal UDP packet, ok?
What could filter this packet?
Queries to Akamai servers doesn't work with EDNS. To resolve this
problem I configure bind with directive "server <IP> { edns no; };", but
isn't a good solution.
From my server, some queries with EDNS works and some doesn't.
The Akamai do respond to EDNS queries.
Here is what you should be seeing. It looks like something is
filtering out the FORMERR responses. Almost all of the above log
messages are for zones where FORMERR is returned. Responses from
EDNS aware servers are getting back.
B.T.W. you should use 512 not as the buffer size 500.
drugs:dnssec 13:10 {1669} % dig @n0g.akamai.net a961.g.akamai.net +bufsize=512
; <<>> DiG 9.3.6-P1 <<>> @n0g.akamai.net a961.g.akamai.net +bufsize=512
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 52294
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; Query time: 11 msec
;; SERVER: 60.254.186.21#53(60.254.186.21)
;; WHEN: Tue Jul 21 13:10:50 2009
;; MSG SIZE rcvd: 12
drugs:dnssec 13:10 {1670} %
Mark
My server gets responses with EDNS from some NS in Internet, with UDP
packet > 512 bytes,
e.g: "dig @a.dns.br br dnskey +dnssec +bufsize=2500"
So it's not firewall problem, Am I correct ?
From my server, dig to Akamai with EDNS (+bufsize=512) doesn't get
FORMERR message, dig return "connection timed out; no servers could be
reached".
What could be the reason ?
Thanks for your reply.
--
Ats,
Breno S. Soares
Analista de Redes
SERPRO/SUPRE/REBHE
Tel: (31) 3311-6825
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa
pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a
seu destinatário e pode conter informações confidenciais, protegidas por sigilo
profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei.
Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
government company established under Brazilian law (5.615/70) -- is directed exclusively
to its addressee and may contain confidential data, protected under professional secrecy
rules. Its unauthorized use is illegal and may subject the transgressor to the law's
penalties. If you're not the addressee, please send it back, elucidating the
failure."
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
