-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Take a look at this. It is somewhat confusing, but it is helpful and should tell you right away if you definitely have a firewall issue (and frankly there's little else it could be).
https://www.dns-oarc.net/oarc/services/replysizetest On 02/23/2011 11:15 AM, Shaoquan Lin wrote: > Thanks, Mark, > > Last June I asked our firewall person to make sure our firewall not > blocking DNS packets over 512 bytes. He told me our firewall was not > blocking. I guess that might be some default setting of the firewall > and he does not really know. I did two digs here one with +dnssec and > one without. I got the the following: > > 1) with +dnssec : > ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > 2) without +dnssec : > ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024 > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4 > > ;; QUESTION SECTION: > ;vwall4a.nyc.gov. IN A > > ;; AUTHORITY SECTION: > nyc.gov. 86400 IN NS vwall1a.nyc.gov. > nyc.gov. 86400 IN NS vwall2a.nyc.gov. > nyc.gov. 86400 IN NS vwall3a.nyc.gov. > nyc.gov. 86400 IN NS vwall4a.nyc.gov. > > ;; ADDITIONAL SECTION: > vwall1a.nyc.gov. 86400 IN A 161.185.1.3 > vwall2a.nyc.gov. 86400 IN A 161.185.1.12 > vwall3a.nyc.gov. 86400 IN A 167.153.130.12 > vwall4a.nyc.gov. 86400 IN A 167.153.130.13 > > ;; Query time: 31 msec > ;; SERVER: 209.112.123.30#53(209.112.123.30) > ;; WHEN: Wed Feb 23 11:12:48 2011 > ;; MSG SIZE rcvd: 192 > > Does this show we do have a firewall problem here? > > Shaoquan Lin > > Mark Andrews wrote: >> In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin" >> writes: >> >>> Mark, >>> >>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is >>> that I >>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from >>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older >>> BINDs like >>> 9.3. I don't know if the problem is with the authoritative >>> nameservers for gov or the nameservers for nyc.gov or with the BIND I >>> am using. I noticed the following: >>> >> >> Just fix your firewalls to allow EDNS responses through. While >> this is a bug in the authoritative servers / interpretation of >> RFC 1034, its only a issue because your firewall configuration >> is a decade out of date that it is a problem. >> >> >>> 1). a.gov-servers.net or b.gov-servers.net does provide A records >>> in the additional records of their responses for other subdomain >>> under gov like treas.gov, just not nyc.gov. So the problem seems >>> with nameservers for nyc.gov. The problem is relatively new and >>> there might be some recent changes on nyc.gov. >>> >> >> The gov servers will return glue if you let bigger answers than 512 bytes >> through your firewall. >> >> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov >> @b.gov-servers.net +dnssec >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028 >> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 1472 >> ;; QUESTION SECTION: >> ;vwall4a.nyc.gov. IN A >> >> ;; AUTHORITY SECTION: >> nyc.gov. 86400 IN NS vwall1a.nyc.gov. >> nyc.gov. 86400 IN NS vwall2a.nyc.gov. >> nyc.gov. 86400 IN NS vwall3a.nyc.gov. >> nyc.gov. 86400 IN NS vwall4a.nyc.gov. >> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 >> 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS >> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 >> 20110227210022 20110222210022 47602 gov. >> ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 >> JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn >> Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA >> 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u >> In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 >> CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg== >> >> ;; ADDITIONAL SECTION: >> vwall1a.nyc.gov. 86400 IN A 161.185.1.3 >> vwall2a.nyc.gov. 86400 IN A 161.185.1.12 >> vwall3a.nyc.gov. 86400 IN A 167.153.130.12 >> vwall4a.nyc.gov. 86400 IN A 167.153.130.13 >> >> ;; Query time: 187 msec >> ;; SERVER: 209.112.123.30#53(209.112.123.30) >> ;; WHEN: Wed Feb 23 11:54:06 2011 >> ;; MSG SIZE rcvd: 574 >> >> >>> 2) Older version of Binds (like 9.3) seems able to resolve >>> vwall4a.nyc.gov as shown the packets I captured in my previous e-mail. >>> >>> What options in named.conf I can use to set "tc"? >>> >>> Thank you. >>> >>> Shaoquan Lin >>> > - -- - ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lOE0ACgkQmb+gadEcsb7VKACgp9Makck8GzP1ZEG5q6sczoHH NVYAn2j1RqU2n9f/ZlC7+GcsKm2oaFzi =kqJW -----END PGP SIGNATURE-----
<<attachment: novosirj.vcf>>
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
