Please be aware that RFC 2671, which specifies EDNS0, allows for buffer
sizes to reach 64k, not just 4k. Most implementations default to 4k,
but the buffer size can easily be set higher. Moreover, the EDNS0
buffer size merely specifies the size where the UDP response becomes
truncated and must fall over to TCP. If you limit UDP responses and
also block TCP, you may also someday block legitimate traffic. At this
point it's extremely unlikely, but at one time DNS responses in the
range of 1k-2k seemed extremely unlikely...
michael
On 01/19/12 12:34, Faehl, Chris wrote:
Josh - are you using Cisco firewalls? We've seen problems resolving other
.gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
results and fixed those problems without other operational impact.
Chris Faehl
Director, Cloud Architecture
RightNow Technologies
On 1/19/12 12:39 PM, "Baird, Josh"<jba...@follett.com> wrote:
Ugly fix, but it does work. I already had that in place as a "band-aid"
anyways.
Josh
-----Original Message-----
From: wbr...@e1b.org [mailto:wbr...@e1b.org]
Sent: Thursday, January 19, 2012 2:36 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh wrote on 01/19/2012 02:06:05 PM:
My resolvers seem to be having problems resolving ed.gov hosts.
Others
have reported similar problems, but I am having trouble figuring out
where the problem lies. Some other resolvers seem to be resolving
ed.gov correctly. I am able to query their authoritative servers
directly from the same network where my resolvers are located. But,
my
resolvers are not able to recurse to them.
[snip]>
Is anyone else having problems? Can you spot anything that could be
preventing my/our resolvers to successfully query this?
Years ago, we had problems with ed.gov. We added the following to our
config on 2009-08-11 to forward to their name servers:
zone "ed.gov" {
type forward;
forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
160.109.63.186;
};
};
Ugly fix? You bet! But the problems went away...
IIRC, we did network sniffs at the perimeter and a bunch of other
troubleshooting to no avail.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or
entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if
this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or
any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
