On 12-07-20 08:34 AM, Brian J. Murrell wrote: > > The problem here seems to be fragmented UDP.
I seem to have misdiagnosed this due to tcpdump peculiarities. I only initially saw/suspected the problem since my capture for port 53 packets was including (only the first) ipv4 fragments. When adding a capture specifically to get all ipv4 fragments in addition to my port 53 packets, I do see all of the fragments. So back to the drawing board. In my previous posting, I was able to demonstrate that I do get some queries authenticated, but others (corresponding to the errors in my logs) are not. For example: Jul 20 08:59:37 linux named[17472]: validating @0xf48d01b0: 119.in-addr.arpa SOA: no valid signature found and sure enough: # dig +dnssec @localhost 119.in-addr.arpa SOA ; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;119.in-addr.arpa. IN SOA ;; ANSWER SECTION: 119.in-addr.arpa. 172800 IN SOA ns1.apnic.net. read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 172800 119.in-addr.arpa. 172800 IN RRSIG SOA 5 3 172800 20120819055026 20120720045026 31291 119.in-addr.arpa. DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70 KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk= ;; AUTHORITY SECTION: 119.in-addr.arpa. 78212 IN NS ns1.apnic.net. 119.in-addr.arpa. 78212 IN NS sec1.authdns.ripe.net. 119.in-addr.arpa. 78212 IN NS ns2.lacnic.net. 119.in-addr.arpa. 78212 IN NS ns4.apnic.net. 119.in-addr.arpa. 78212 IN NS ns3.apnic.net. 119.in-addr.arpa. 78212 IN NS apnic1.dnsnode.net. 119.in-addr.arpa. 78212 IN NS tinnie.arin.net. ;; ADDITIONAL SECTION: ns1.apnic.net. 167 IN A 202.12.29.25 ns1.apnic.net. 164129 IN AAAA 2001:dc0:2001:0:4608::25 ns2.lacnic.net. 82967 IN A 200.3.13.11 ns2.lacnic.net. 164257 IN AAAA 2001:13c7:7002:3000::11 ns3.apnic.net. 167 IN A 202.12.28.131 ns3.apnic.net. 164129 IN AAAA 2001:dc0:1:0:4777::131 ns4.apnic.net. 167 IN A 202.12.31.140 ns4.apnic.net. 164129 IN AAAA 2001:dc0:4001:1:0:1836:0:140 sec1.authdns.ripe.net. 167 IN A 193.0.9.3 apnic1.dnsnode.net. 3767 IN A 194.146.106.106 tinnie.arin.net. 35918 IN A 199.212.0.53 tinnie.arin.net. 35918 IN AAAA 2001:500:13::c7d4:35 sec1.authdns.ripe.net. 167 IN RRSIG A 5 4 3600 20120819100246 20120720090246 16848 ripe.net. PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kpClfsMB/t3liXNmw in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto= ;; Query time: 239 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jul 20 09:02:18 2012 ;; MSG SIZE rcvd: 892 no "ad" bit set. But why? Cheers, b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users