Hello all, first let me thank you for your patience.
On Fri, Jul 11, 2014 at 10:47 AM, Mark Andrews <ma...@isc.org> wrote: > > In message > <CALm7FAdeV4eqiAZc2vP=mnpkv4do3c9yzu2j-lpdifv8eb8...@mail.gmail.com> > , Wolfgang Rosenauer writes: >> All but one request succeeded: >> s15418965:~ # dig dnskey org +dnssec @199.19.56.1 +ignore +norec >> >> ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> dnskey org +dnssec @199.19.56.1 >> +ignore +norec >> ;; global options: +cmd >> ;; connection timed out; no servers could be reached > > Which requires fragmented UDP to be passed by the firewall. The > rest of the test udp responses will all fit in a ethernet frame. > > Test with > > dig dnskey org +dnssec @199.19.56.1 +ignore +norec +bufsize=1432 seems to work: s15418965:/var/lib/named/log # dig dnskey org +dnssec @199.19.56.1 +ignore +norec +bufsize=1432 ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> dnskey org +dnssec @199.19.56.1 +ignore +norec +bufsize=1432 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21075 ;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;org. IN DNSKEY ;; Query time: 131 msec ;; SERVER: 199.19.56.1#53(199.19.56.1) ;; WHEN: Fri Jul 11 11:19:15 CEST 2014 ;; MSG SIZE rcvd: 32 > Then set "edns-udp-size 1432;" in named.conf until you can get the firewall > fixed. This size allows for 4in6 and 6in4 encapuslations w/o fragmentation. done that and basic resolution still is broken :-( s15418965:/var/lib/named/log # dig @127.0.0.1 isc.org ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> @127.0.0.1 isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20035 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ;; QUESTION SECTION: ;isc.org. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jul 11 11:19:58 CEST 2014 ;; MSG SIZE rcvd: 36 I'm running out of ideas. Meanwhile I've confirmed that the same setup and software versions work on another hosted machine (bare metal, different hoster) so I really agree it is some strange network setup. I'll ask the provider again what's wrong but I'm really lost why I can ask an external bind successfully while my own one still does not get the reply back. Wolfgang _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
