-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A couple more gems: https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
(really anything at dnssec-deployment.org) There was another table that I found someplace and cannot find now that listed Cisco PIX and mentioned with a * the subtle difference between versions of that firewall firmware. I can't find that table anywhere -- was HTML, not in a PDF. On 02/23/2011 11:39 AM, Ryan Novosielski wrote: > Take a look at this. It is somewhat confusing, but it is helpful and > should tell you right away if you definitely have a firewall issue (and > frankly there's little else it could be). > > https://www.dns-oarc.net/oarc/services/replysizetest > > On 02/23/2011 11:15 AM, Shaoquan Lin wrote: >> Thanks, Mark, > >> Last June I asked our firewall person to make sure our firewall not >> blocking DNS packets over 512 bytes. He told me our firewall was not >> blocking. I guess that might be some default setting of the firewall >> and he does not really know. I did two digs here one with +dnssec and >> one without. I got the the following: > >> 1) with +dnssec : >> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec >> ;; global options: +cmd >> ;; connection timed out; no servers could be reached > >> 2) without +dnssec : >> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024 >> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4 > >> ;; QUESTION SECTION: >> ;vwall4a.nyc.gov. IN A > >> ;; AUTHORITY SECTION: >> nyc.gov. 86400 IN NS vwall1a.nyc.gov. >> nyc.gov. 86400 IN NS vwall2a.nyc.gov. >> nyc.gov. 86400 IN NS vwall3a.nyc.gov. >> nyc.gov. 86400 IN NS vwall4a.nyc.gov. > >> ;; ADDITIONAL SECTION: >> vwall1a.nyc.gov. 86400 IN A 161.185.1.3 >> vwall2a.nyc.gov. 86400 IN A 161.185.1.12 >> vwall3a.nyc.gov. 86400 IN A 167.153.130.12 >> vwall4a.nyc.gov. 86400 IN A 167.153.130.13 > >> ;; Query time: 31 msec >> ;; SERVER: 209.112.123.30#53(209.112.123.30) >> ;; WHEN: Wed Feb 23 11:12:48 2011 >> ;; MSG SIZE rcvd: 192 > >> Does this show we do have a firewall problem here? > >> Shaoquan Lin > >> Mark Andrews wrote: >>> In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin" >>> writes: >>> >>>> Mark, >>>> >>>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is >>>> that I >>>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from >>>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older >>>> BINDs like >>>> 9.3. I don't know if the problem is with the authoritative >>>> nameservers for gov or the nameservers for nyc.gov or with the BIND I >>>> am using. I noticed the following: >>>> >>> >>> Just fix your firewalls to allow EDNS responses through. While >>> this is a bug in the authoritative servers / interpretation of >>> RFC 1034, its only a issue because your firewall configuration >>> is a decade out of date that it is a problem. >>> >>> >>>> 1). a.gov-servers.net or b.gov-servers.net does provide A records >>>> in the additional records of their responses for other subdomain >>>> under gov like treas.gov, just not nyc.gov. So the problem seems >>>> with nameservers for nyc.gov. The problem is relatively new and >>>> there might be some recent changes on nyc.gov. >>>> >>> >>> The gov servers will return glue if you let bigger answers than 512 bytes >>> through your firewall. >>> >>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov >>> @b.gov-servers.net +dnssec >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028 >>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 1472 >>> ;; QUESTION SECTION: >>> ;vwall4a.nyc.gov. IN A >>> >>> ;; AUTHORITY SECTION: >>> nyc.gov. 86400 IN NS vwall1a.nyc.gov. >>> nyc.gov. 86400 IN NS vwall2a.nyc.gov. >>> nyc.gov. 86400 IN NS vwall3a.nyc.gov. >>> nyc.gov. 86400 IN NS vwall4a.nyc.gov. >>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 >>> 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS >>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 >>> 20110227210022 20110222210022 47602 gov. >>> ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 >>> JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn >>> Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA >>> 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u >>> In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 >>> CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg== >>> >>> ;; ADDITIONAL SECTION: >>> vwall1a.nyc.gov. 86400 IN A 161.185.1.3 >>> vwall2a.nyc.gov. 86400 IN A 161.185.1.12 >>> vwall3a.nyc.gov. 86400 IN A 167.153.130.12 >>> vwall4a.nyc.gov. 86400 IN A 167.153.130.13 >>> >>> ;; Query time: 187 msec >>> ;; SERVER: 209.112.123.30#53(209.112.123.30) >>> ;; WHEN: Wed Feb 23 11:54:06 2011 >>> ;; MSG SIZE rcvd: 574 >>> >>> >>>> 2) Older version of Binds (like 9.3) seems able to resolve >>>> vwall4a.nyc.gov as shown the packets I captured in my previous e-mail. >>>> >>>> What options in named.conf I can use to set "tc"? >>>> >>>> Thank you. >>>> >>>> Shaoquan Lin >>>> > > > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lTjMACgkQmb+gadEcsb5KSwCeJKU5Z7SXoRMJH53u1dGt8jj1 AF4AoKWOkg6gcc9Ng4kAmebcIHv+XAIF =deXw -----END PGP SIGNATURE-----
<<attachment: novosirj.vcf>>
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users