Re: DLV dnssec setup

Fri, 11 Jul 2014 01:48:08 -0700 

In message <CALm7FAdeV4eqiAZc2vP=mnpkv4do3c9yzu2j-lpdifv8eb8...@mail.gmail.com>
, Wolfgang Rosenauer writes:
> On Fri, Jul 11, 2014 at 1:32 AM, Mark Andrews <ma...@isc.org> wrote:
> >
> >         Then all of the following should succeed.  Please let the
> >         list know how you go.
> >
> >         dig soa . @198.41.0.4 +norec
> >         dig soa . @198.41.0.4 +dnssec +norec
> >         dig dnskey . @198.41.0.4 +dnssec +norec
> >         dig ds com @198.41.0.4 +dnssec +norec
> >         dig com @198.41.0.4 +dnssec +norec
> >
> >         dig soa . @198.41.0.4 +tcp +norec
> >         dig soa . @198.41.0.4 +dnssec +tcp +norec
> >         dig dnskey . @198.41.0.4 +dnssec +tcp +norec
> >         dig ds com @198.41.0.4 +dnssec +tcp +norec
> >         dig com @198.41.0.4 +dnssec +tcp +norec
> >
> >         dig dnskey org +dnssec @199.19.56.1 +ignore +norec
> >         dig dnskey org +dnssec @199.19.56.1 +tcp  +norec
> 
> All but one request succeeded:
> s15418965:~ # dig dnskey org +dnssec @199.19.56.1 +ignore +norec
> 
> ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> dnskey org +dnssec @199.19.56.1
> +ignore +norec
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached

Which requires fragmented UDP to be passed by the firewall.  The
rest of the test udp responses will all fit in a ethernet frame.

Test with

        dig dnskey org +dnssec @199.19.56.1 +ignore +norec +bufsize=1432

Then set "edns-udp-size 1432;" in named.conf until you can get the firewall
fixed.  This size allows for 4in6 and 6in4 encapuslations w/o fragmentation.

> I've captured with tcpdump (filter on port 53) and there were 3
> queries but no single reply packet.
> IP is reachable though.
> s15418965:~ # ping 199.19.56.1
> PING 199.19.56.1 (199.19.56.1) 56(84) bytes of data.
> 64 bytes from 199.19.56.1: icmp_seq=1 ttl=55 time=130 ms
> 
> 
> Wolfgang
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to