On Fri, Jan 01, 2010 at 09:44:13PM +0000, Paul Vixie wrote:
> Jason Bertoch <ja...@i6ix.com> writes:
>
> >> Dec 31 10:12:37 linux-1ij2 named[14306]: too many timeouts resolving
> >> 'XXX.YYY.ZZZ/A' (in 'YYY.ZZZ'?): disabling EDNS
> >
> > Do you have a firewall in front of this server that limits DNS packets to
> > 512 bytes?
>
> statistically speaking, yes, most people have that. which is damnfoolery,
> but well supported by the vendors, who think either that udp/53 datagrams
> larger than 512 octets are amplification attacks, or that udp packets having
> no port numbers because they are fragments lacking any udp port information,
> are evil and dangerous. sadly, noone has yet been fired for buying devices
> that implement this kind of overspecification. hopefully that will change
> after the DNS root zone is signed and udp/53 responses start to generally
> include DNSSEC signatures, pushing most of them way over the 512 octet limit.
>
> it's going to be another game of chicken -- will the people who build and/or
> deploy such crapware lose their jobs, or will ICANN back down from DNSSEC?
> --
> Paul Vixie
> KI6YSY
well, having been pushing vendors for a while on this, expect
at least Checkpoint and Cisco to have corrected solutions fielded
soon - and RedHat has fixed their DNSMASQ code since it was pointed
out to them that thier defaults were based on flawed assumptions.
Not a lost cause - but the inertia of the installed base is huge and
it will take more than the last six months of work to make a dent.
It would help if the BIND EDNS0 negotiation would not fall back to the
512 byte limit - perhaps you could talk with the ISC developers about
that.
--bill
