Is your firewall Cisco based? There is a known "default" setting in Cisco with respect to packet size for DNS. Our network guys run into this anytime they do an upgrade, etc. and have to go in and update the setting.
Steve. On Tue, 2011-09-27 at 15:45 -0500, Brad Bendily wrote: > When trying the DNSSEC check command from: > https://www.dns-oarc.net/oarc/services/replysizetest > > behind our corporate firewall, I get: > rst.x476.rs.dns-oarc.net. > rst.x485.x476.rs.dns-oarc.net. > rst.x490.x485.x476.rs.dns-oarc.net. > "Tested at 2011-09-27 20:32:34 UTC" > "205.172.49.177 sent EDNS buffer size 4096" > "205.172.49.177 DNS reply size limit is at least 490" > > > Which, based on the website tells me our firewall is blocking > or filtering EDNS/DNSSEC packets. > > > > However, what I'm confused about is when I run this command: > dig +dnssec eeoc.gov > > I get: > > ; <<>> DiG 9.7.3-P1 <<>> +dnssec eeoc.gov > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40572 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;eeoc.gov. IN A > > ;; ANSWER SECTION: > eeoc.gov. 19499 IN A 64.94.64.52 > eeoc.gov. 19499 IN RRSIG A 7 2 21600 20111208014816 > 20110909014816 52909 eeoc.gov. > AW5Ny32xDP7+m4XxCSS7q/zuK8RBc+la70Zmg0A/Pe1+p0agkrzbxaHM > GgvKldSKCzVgo7XPGR3LqcGIFDl0CPaaSTxTntlZkdh6x2qS4mM/49+B > 9podxzbV3V4LcNpR4c4jyteAa5Uxaz3WSRr1T69PpJyIZZ53JmexkMPi > yOjMcp1IqeSJ0P/06CuZccemo+f/fjGW8xfG/slOp2XJlmbPo1EfJnlw > i07YstZVszHxsgmRUXssEUmkWi3eqAw4Ug2QiRa+zz3JpmgBnC0G7Kxd > SXUJLuvfNdDrtJ9T5anNVRVxCVq499gaJQnWBXKKVVaC9w/BcPnGuSRy OZTyPg== > > ;; AUTHORITY SECTION: > eeoc.gov. 66519 IN NS dnssec10.datamtn.com. > eeoc.gov. 66519 IN NS dnssec14.datamtn.com. > eeoc.gov. 66519 IN NS dnssec11.datamtn.com. > eeoc.gov. 66519 IN NS dnssec12.datamtn.com. > eeoc.gov. 66519 IN NS dnssec9.datamtn.com. > > ;; ADDITIONAL SECTION: > dnssec9.datamtn.com. 3114 IN AAAA 2001:49f0:a02a:1000::238 > dnssec11.datamtn.com. 3114 IN AAAA 2001:470:1:7a::147 > dnssec9.datamtn.com. 3114 IN RRSIG AAAA 7 3 10800 20111125185428 > 20110827185428 21352 datamtn.com. > Ngz7Bl2VWqhIY5Uh8bHJjwyAWQXcEM7qaAH8JSJ5VM5qMelfVA1pV+Y6 > RltfXpACQxRpHsayiArGZulzp1XX4yW6+qsHiKLJOcRiS5kmjexBPUlK > zyU3cp7BC5dprHyPBpXKbHExuGlvqrg1aqRJtAmH6Q7tkp2wWqEuO3Ku > LBvvGXN46U+sYPsd98YixlLLTtj2qFo7/vhPN8ao2g6HuFBVIUTU4LuV > d7Wjz+r4Xj722w6RFgZFu9qFwYsOQwTGlon4zqDvflzESSWSjFdzHCZ0 > prkagjXwcZYMlQGRMgnmHlEEvvg+lKMdl4imHLx/LKLD+feCzp2d4PFj 9byoYA== > dnssec9.datamtn.com. 3114 IN RRSIG AAAA 8 3 10800 20111125185428 > 20110827185428 61898 datamtn.com. > NtPfKvEs6DF0Bac9ZbCfi0b0QdeVMSlaNXAyDFSjo4J8uQUYllDwt101 > C78VAiXplumZRM/9Vv7fg1/Ds/qCd6wC6wdTR3S8mtDOpLHVhuZTSGI1 > jBVBXYjzBdqIBitydwD6vs+VaPsfd352NBqE8teFQJhbVAI98+d9BO4x > /Qx+i2HJOPdQyVRq6dj2NYg1GT4ODDb6VmQUOb01XgIyX/pLt+7AdtId > 1FFbA9LfO4xvYTCKAO3LbPvdU7nJ2+mCMu5CNQFNiwAbSHT3letupzpH > yLUNrjhcO0cj/vVf1YrrIzZXF69zKGYfsCP876zKoVtlrUe1dZ0bersP 4I9klg== > dnssec11.datamtn.com. 3114 IN RRSIG AAAA 7 3 10800 20111125185428 > 20110827185428 21352 datamtn.com. > Lgt6Wq5JvvAF6BKUUoPSiv6lx0yqQ3HAFoClEcg11V7XhIngeaTperu7 > 7lytmKl53yZUxarFbQdJ/NxwwNVl/F2Os5RkNHkAjVTkku1mjoMeqEhF > NDe+cvYOOo0EASc9LhmHo2qgkyhjGAt1FtbmrOG9Gwr5OdUM5l2EgcGj > bRvH1Sfv5le68ST1+74sQPKmp+3n0gopfKUlcYuDDw/mUKXR8lo3MCTv > xe6q6NbwHNHWBCgUw4rqX4ZdVArL4WumKvkufeieDJpMhKwHlWHyPvu9 > pX1IsZRyQPo9RqnmSpG+yjR59ixbb23LyO6alrEDJTyaJZL8uHfwiTQ8 4V29tQ== > dnssec11.datamtn.com. 3114 IN RRSIG AAAA 8 3 10800 20111125185428 > 20110827185428 61898 datamtn.com. > vtFFEZbruIfnwSGAdlXukUn40SOEIZY9QXrHh6CfOl3WkQduSnbvgS5T > +e2QN6GDcZgigGON8yHHTS8DI8ld/tCxxVkwB3ISkqkQHrjyyRD6+8IR > J2BWsdMTyAhe9PygLR1FkfCt1JDaDnAbOKOniMT+6DRlnE7ZW7KfvZT/ > 7j5qG+xDixCXUHyhnstbv9vmMPTxnK1ASy6nz7ErnA/DUMleO484xIgM > 6Pc8uqy3Onw4Yfn4l5R66tQwC0yoSVwqmEyIWNWyx1SNQLFzUc1hySaF > aQs1L/Zyu9e/wSHdZUeGiOwx5cz3yWE2NsF3tagxukkL9vNu2s/nyjzR 3igT3g== > > ;; Query time: 1 msec > ;; SERVER: 10.120.11.107#53(10.120.11.107) > ;; WHEN: Tue Sep 27 15:34:07 2011 > ;; MSG SIZE rcvd: 1726 > > > Which tells me my DNSSEC queries are working, right? > I noticed in the "OPT PSEUDOSECTION" udp=4096. > > This started because, as the DNS admin, I was informed today that we could > not resolve > this domain, eeoc.gov. Which was true. As I started digging into it, and > performing a > dig from an offsite server which was working, I found that the domain > "eeoc.gov" is > running DNSSEC. So, I assumed the problem was with our firewall blocking or > filtering > the DNSSEC traffic. But then after researching for a few hours, I found we > were able > to resolve the domain, through no changes of DNS. > It could be that "datamtn.com", their authoritative NS are performing > maintenance or something. So, all this research led me to the information > above. > > Are we getting EDNS/DNSSEC responses or no? > thanks > bb > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
