Re: Problem with ed.gov
On Jan 19, 2012, at 8:14 PM, Mark Andrews wrote:
>
> In message <4f18b4a5.3050...@rancid.berkeley.edu>, Michael Sinatra writes:
>> Please be aware that RFC 2671, which specifies EDNS0, allows for buffer
>> sizes to reach 64k, not just 4k. Most implementations default to 4k,
>> but the buffer size can easily be set higher.
>
> Which often requires a recompile. Additionally RFC 2671 also says
> DO NOT use the theoretical maximum. AFAIK no one defaults to more
> that 4K at this point. There is very little benefit, at this point,
> in going above 4K. 4K is also the current recommended value.
> Additionally even if the resolver supports >4K responses the server
> also has to support >4K responses.
Yes, but my concern here is that "DNS responses can *never* be bigger than 4k"
gets baked into the public consciousness, just like "DNS packets can never be
bigger than 512 bytes" seemed to be…
One day, 10 years from now shiny new extension is going to have deployment
issues because the firewall monkeys have configured yet another limit….
W
>
> Mark
>
>> Moreover, the EDNS0
>> buffer size merely specifies the size where the UDP response becomes
>> truncated and must fall over to TCP. If you limit UDP responses and
>> also block TCP, you may also someday block legitimate traffic. At this
>> point it's extremely unlikely, but at one time DNS responses in the
>> range of 1k-2k seemed extremely unlikely...
>>
>> michael
>>
>> On 01/19/12 12:34, Faehl, Chris wrote:
>>> Josh - are you using Cisco firewalls? We've seen problems resolving other
>>> .gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
>>> size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
>>> results and fixed those problems without other operational impact.
>>>
>>> Chris Faehl
>>> Director, Cloud Architecture
>>> RightNow Technologies
>>>
>>> On 1/19/12 12:39 PM, "Baird, Josh" wrote:
>>>
>>>> Ugly fix, but it does work. I already had that in place as a "band-aid"
>>>> anyways.
>>>>
>>>> Josh
>>>>
>>>> -Original Message-
>>>> From: wbr...@e1b.org [mailto:wbr...@e1b.org]
>>>> Sent: Thursday, January 19, 2012 2:36 PM
>>>> To: Baird, Josh
>>>> Cc: bind-users@lists.isc.org
>>>> Subject: Re: Problem with ed.gov
>>>>
>>>> Josh wrote on 01/19/2012 02:06:05 PM:
>>>>
>>>>> My resolvers seem to be having problems resolving ed.gov hosts.
>>>> Others
>>>>> have reported similar problems, but I am having trouble figuring out
>>>>> where the problem lies. Some other resolvers seem to be resolving
>>>>> ed.gov correctly. I am able to query their authoritative servers
>>>>> directly from the same network where my resolvers are located. But,
>>>> my
>>>>> resolvers are not able to recurse to them.
>>>>
>>>> [snip]>
>>>>> Is anyone else having problems? Can you spot anything that could be
>>>>> preventing my/our resolvers to successfully query this?
>>>>>
>>>>
>>>> Years ago, we had problems with ed.gov. We added the following to our
>>>> config on 2009-08-11 to forward to their name servers:
>>>>
>>>> zone "ed.gov" {
>>>>type forward;
>>>>forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
>>>> 160.109.63.186;
>>>> };
>>>> };
>>>>
>>>> Ugly fix? You bet! But the problems went away...
>>>>
>>>> IIRC, we did network sniffs at the perimeter and a bunch of other
>>>> troubleshooting to no avail.
>>>>
>>>>
>>>>
>>>> Confidentiality Notice:
>>>> This electronic message and any attachments may contain confidential or
>>>> privileged information, and is intended only for the individual or
>>>> entity
>>>> identified above as the addressee. If you are not the addressee (or the
>>>> employee or agent responsible to deliver it to the addressee), or if
>>>> this
>>>> message has been addressed to you in error, you are hereby notified that
>>>>
>>>> you may not copy, forward, disclose or use any part of this message or
>>>> any
>>>> attachments. Please notify the sende
Re: Problem with ed.gov
In message <4f18b4a5.3050...@rancid.berkeley.edu>, Michael Sinatra writes:
> Please be aware that RFC 2671, which specifies EDNS0, allows for buffer
> sizes to reach 64k, not just 4k. Most implementations default to 4k,
> but the buffer size can easily be set higher.
Which often requires a recompile. Additionally RFC 2671 also says
DO NOT use the theoretical maximum. AFAIK no one defaults to more
that 4K at this point. There is very little benefit, at this point,
in going above 4K. 4K is also the current recommended value.
Additionally even if the resolver supports >4K responses the server
also has to support >4K responses.
Mark
> Moreover, the EDNS0
> buffer size merely specifies the size where the UDP response becomes
> truncated and must fall over to TCP. If you limit UDP responses and
> also block TCP, you may also someday block legitimate traffic. At this
> point it's extremely unlikely, but at one time DNS responses in the
> range of 1k-2k seemed extremely unlikely...
>
> michael
>
> On 01/19/12 12:34, Faehl, Chris wrote:
> > Josh - are you using Cisco firewalls? We've seen problems resolving other
> > .gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
> > size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
> > results and fixed those problems without other operational impact.
> >
> > Chris Faehl
> > Director, Cloud Architecture
> > RightNow Technologies
> >
> > On 1/19/12 12:39 PM, "Baird, Josh" wrote:
> >
> >> Ugly fix, but it does work. I already had that in place as a "band-aid"
> >> anyways.
> >>
> >> Josh
> >>
> >> -Original Message-
> >> From: wbr...@e1b.org [mailto:wbr...@e1b.org]
> >> Sent: Thursday, January 19, 2012 2:36 PM
> >> To: Baird, Josh
> >> Cc: bind-users@lists.isc.org
> >> Subject: Re: Problem with ed.gov
> >>
> >> Josh wrote on 01/19/2012 02:06:05 PM:
> >>
> >>> My resolvers seem to be having problems resolving ed.gov hosts.
> >> Others
> >>> have reported similar problems, but I am having trouble figuring out
> >>> where the problem lies. Some other resolvers seem to be resolving
> >>> ed.gov correctly. I am able to query their authoritative servers
> >>> directly from the same network where my resolvers are located. But,
> >> my
> >>> resolvers are not able to recurse to them.
> >>
> >> [snip]>
> >>> Is anyone else having problems? Can you spot anything that could be
> >>> preventing my/our resolvers to successfully query this?
> >>>
> >>
> >> Years ago, we had problems with ed.gov. We added the following to our
> >> config on 2009-08-11 to forward to their name servers:
> >>
> >> zone "ed.gov" {
> >> type forward;
> >> forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
> >> 160.109.63.186;
> >> };
> >> };
> >>
> >> Ugly fix? You bet! But the problems went away...
> >>
> >> IIRC, we did network sniffs at the perimeter and a bunch of other
> >> troubleshooting to no avail.
> >>
> >>
> >>
> >> Confidentiality Notice:
> >> This electronic message and any attachments may contain confidential or
> >> privileged information, and is intended only for the individual or
> >> entity
> >> identified above as the addressee. If you are not the addressee (or the
> >> employee or agent responsible to deliver it to the addressee), or if
> >> this
> >> message has been addressed to you in error, you are hereby notified that
> >>
> >> you may not copy, forward, disclose or use any part of this message or
> >> any
> >> attachments. Please notify the sender immediately by return e-mail or
> >> telephone and delete this message from your system.
> >> ___
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> >> unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ed.gov
Please be aware that RFC 2671, which specifies EDNS0, allows for buffer
sizes to reach 64k, not just 4k. Most implementations default to 4k,
but the buffer size can easily be set higher. Moreover, the EDNS0
buffer size merely specifies the size where the UDP response becomes
truncated and must fall over to TCP. If you limit UDP responses and
also block TCP, you may also someday block legitimate traffic. At this
point it's extremely unlikely, but at one time DNS responses in the
range of 1k-2k seemed extremely unlikely...
michael
On 01/19/12 12:34, Faehl, Chris wrote:
Josh - are you using Cisco firewalls? We've seen problems resolving other
.gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
results and fixed those problems without other operational impact.
Chris Faehl
Director, Cloud Architecture
RightNow Technologies
On 1/19/12 12:39 PM, "Baird, Josh" wrote:
Ugly fix, but it does work. I already had that in place as a "band-aid"
anyways.
Josh
-Original Message-
From: wbr...@e1b.org [mailto:wbr...@e1b.org]
Sent: Thursday, January 19, 2012 2:36 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh wrote on 01/19/2012 02:06:05 PM:
My resolvers seem to be having problems resolving ed.gov hosts.
Others
have reported similar problems, but I am having trouble figuring out
where the problem lies. Some other resolvers seem to be resolving
ed.gov correctly. I am able to query their authoritative servers
directly from the same network where my resolvers are located. But,
my
resolvers are not able to recurse to them.
[snip]>
Is anyone else having problems? Can you spot anything that could be
preventing my/our resolvers to successfully query this?
Years ago, we had problems with ed.gov. We added the following to our
config on 2009-08-11 to forward to their name servers:
zone "ed.gov" {
type forward;
forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
160.109.63.186;
};
};
Ugly fix? You bet! But the problems went away...
IIRC, we did network sniffs at the perimeter and a bunch of other
troubleshooting to no avail.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or
entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if
this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or
any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Problem with ed.gov
Nope, no firewall in front or behind these particular boxes.
Josh
-Original Message-
From: Faehl, Chris [mailto:cfa...@rightnow.com]
Sent: Thursday, January 19, 2012 3:34 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh - are you using Cisco firewalls? We've seen problems resolving
other
.gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
results and fixed those problems without other operational impact.
Chris Faehl
Director, Cloud Architecture
RightNow Technologies
On 1/19/12 12:39 PM, "Baird, Josh" wrote:
>Ugly fix, but it does work. I already had that in place as a
"band-aid"
>anyways.
>
>Josh
>
>-Original Message-
>From: wbr...@e1b.org [mailto:wbr...@e1b.org]
>Sent: Thursday, January 19, 2012 2:36 PM
>To: Baird, Josh
>Cc: bind-users@lists.isc.org
>Subject: Re: Problem with ed.gov
>
>Josh wrote on 01/19/2012 02:06:05 PM:
>
>> My resolvers seem to be having problems resolving ed.gov hosts.
>Others
>> have reported similar problems, but I am having trouble figuring out
>> where the problem lies. Some other resolvers seem to be resolving
>> ed.gov correctly. I am able to query their authoritative servers
>> directly from the same network where my resolvers are located. But,
>my
>> resolvers are not able to recurse to them.
>
>[snip]>
>> Is anyone else having problems? Can you spot anything that could be
>> preventing my/our resolvers to successfully query this?
>>
>
>Years ago, we had problems with ed.gov. We added the following to our
>config on 2009-08-11 to forward to their name servers:
>
>zone "ed.gov" {
>type forward;
>forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
>160.109.63.186;
> };
>};
>
>Ugly fix? You bet! But the problems went away...
>
>IIRC, we did network sniffs at the perimeter and a bunch of other
>troubleshooting to no avail.
>
>
>
>Confidentiality Notice:
>This electronic message and any attachments may contain confidential or
>privileged information, and is intended only for the individual or
>entity
>identified above as the addressee. If you are not the addressee (or the
>employee or agent responsible to deliver it to the addressee), or if
>this
>message has been addressed to you in error, you are hereby notified
that
>
>you may not copy, forward, disclose or use any part of this message or
>any
>attachments. Please notify the sender immediately by return e-mail or
>telephone and delete this message from your system.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ed.gov
Josh - are you using Cisco firewalls? We've seen problems resolving other
.gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
results and fixed those problems without other operational impact.
Chris Faehl
Director, Cloud Architecture
RightNow Technologies
On 1/19/12 12:39 PM, "Baird, Josh" wrote:
>Ugly fix, but it does work. I already had that in place as a "band-aid"
>anyways.
>
>Josh
>
>-Original Message-
>From: wbr...@e1b.org [mailto:wbr...@e1b.org]
>Sent: Thursday, January 19, 2012 2:36 PM
>To: Baird, Josh
>Cc: bind-users@lists.isc.org
>Subject: Re: Problem with ed.gov
>
>Josh wrote on 01/19/2012 02:06:05 PM:
>
>> My resolvers seem to be having problems resolving ed.gov hosts.
>Others
>> have reported similar problems, but I am having trouble figuring out
>> where the problem lies. Some other resolvers seem to be resolving
>> ed.gov correctly. I am able to query their authoritative servers
>> directly from the same network where my resolvers are located. But,
>my
>> resolvers are not able to recurse to them.
>
>[snip]>
>> Is anyone else having problems? Can you spot anything that could be
>> preventing my/our resolvers to successfully query this?
>>
>
>Years ago, we had problems with ed.gov. We added the following to our
>config on 2009-08-11 to forward to their name servers:
>
>zone "ed.gov" {
>type forward;
>forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
>160.109.63.186;
> };
>};
>
>Ugly fix? You bet! But the problems went away...
>
>IIRC, we did network sniffs at the perimeter and a bunch of other
>troubleshooting to no avail.
>
>
>
>Confidentiality Notice:
>This electronic message and any attachments may contain confidential or
>privileged information, and is intended only for the individual or
>entity
>identified above as the addressee. If you are not the addressee (or the
>employee or agent responsible to deliver it to the addressee), or if
>this
>message has been addressed to you in error, you are hereby notified that
>
>you may not copy, forward, disclose or use any part of this message or
>any
>attachments. Please notify the sender immediately by return e-mail or
>telephone and delete this message from your system.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Problem with ed.gov
Ugly fix, but it does work. I already had that in place as a "band-aid"
anyways.
Josh
-Original Message-
From: wbr...@e1b.org [mailto:wbr...@e1b.org]
Sent: Thursday, January 19, 2012 2:36 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh wrote on 01/19/2012 02:06:05 PM:
> My resolvers seem to be having problems resolving ed.gov hosts.
Others
> have reported similar problems, but I am having trouble figuring out
> where the problem lies. Some other resolvers seem to be resolving
> ed.gov correctly. I am able to query their authoritative servers
> directly from the same network where my resolvers are located. But,
my
> resolvers are not able to recurse to them.
[snip]>
> Is anyone else having problems? Can you spot anything that could be
> preventing my/our resolvers to successfully query this?
>
Years ago, we had problems with ed.gov. We added the following to our
config on 2009-08-11 to forward to their name servers:
zone "ed.gov" {
type forward;
forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
160.109.63.186;
};
};
Ugly fix? You bet! But the problems went away...
IIRC, we did network sniffs at the perimeter and a bunch of other
troubleshooting to no avail.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or
entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if
this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or
any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ed.gov
Josh wrote on 01/19/2012 02:06:05 PM:
> My resolvers seem to be having problems resolving ed.gov hosts. Others
> have reported similar problems, but I am having trouble figuring out
> where the problem lies. Some other resolvers seem to be resolving
> ed.gov correctly. I am able to query their authoritative servers
> directly from the same network where my resolvers are located. But, my
> resolvers are not able to recurse to them.
[snip]>
> Is anyone else having problems? Can you spot anything that could be
> preventing my/our resolvers to successfully query this?
>
Years ago, we had problems with ed.gov. We added the following to our
config on 2009-08-11 to forward to their name servers:
zone "ed.gov" {
type forward;
forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
160.109.63.186;
};
};
Ugly fix? You bet! But the problems went away...
IIRC, we did network sniffs at the perimeter and a bunch of other
troubleshooting to no avail.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Problem with ed.gov
Hi, My resolvers seem to be having problems resolving ed.gov hosts. Others have reported similar problems, but I am having trouble figuring out where the problem lies. Some other resolvers seem to be resolving ed.gov correctly. I am able to query their authoritative servers directly from the same network where my resolvers are located. But, my resolvers are not able to recurse to them. $ dig +tcp fafsa.ed.gov ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> +tcp fafsa.ed.gov ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fafsa.ed.gov. IN A ;; Query time: 9995 msec ;; SERVER: 209.65.192.141#53(209.65.192.141) ;; WHEN: Thu Jan 19 13:56:56 2012 ;; MSG SIZE rcvd: 30 $ dig +notcp fafsa.ed.gov ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> +notcp fafsa.ed.gov ;; global options: printcmd ;; connection timed out; no servers could be reached Is anyone else having problems? Can you spot anything that could be preventing my/our resolvers to successfully query this? Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
