Re: our isp not supports EDNS?
In message <20100622155814.gd4...@puga.deis.gldn.net>, Anatoly Pugachev writes:
> Mark,
>
> please see below...
>
> On 04.05.2010 / 14:31:25 +1000, Mark Andrews wrote:
> >
> > In message
> , Je
> > ff Pang writes:
> > > Hello,
> > >
> > > Following the discussions in the list, I made a test on one of our
> > > servers, which is in an ISP's datacenter.
> > >
> > > The result is below:
> > >
> > > $ dig +short rs.dns-oarc.net txt
> > > rst.x476.rs.dns-oarc.net.
> > > rst.x485.x476.rs.dns-oarc.net.
> > > rst.x490.x485.x476.rs.dns-oarc.net.
> > > "218.204.255.72 DNS reply size limit is at least 490"
> > > "218.204.255.72 lacks EDNS, defaults to 512"
> > > "Tested at 2010-05-04 02:23:51 UTC"
> > >
> > > Does this mean our ISP's filrewall block EDNS query/response?
> >
> > Maybe / maybe not. It could just mean that the nameserver itself
> > doesn't support EDNS.
>
> How bad it is, if providers server doesn't support/make eDNS queries?
> Does eDNS support/usage is for DNSSEC protocol only? I mean, that my
> collegue propose to use the following statement in named.conf:
>
> server 0.0.0.0/0 {
> edns no;
> };
You are throwing the baby out with the bath water. There are very few
servers that respond to EDNS queries with plain DNS responses and named
will still resolve from them despite the broken middleware. I susggest
that rather than doing this that you complain to you ISP and have them
trace the fault.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: our isp not supports EDNS?
Thanks Bill.
I'm well aware of dns-oarc tests...
but they are no more than firewall / dns packet size tests.
My idea/concern is what could be wrong/broken (except of DNSSEC), if we
disable eDNS on our servers - I need to carry this idea to my collegue.
My quick test show that disabling edns per "0/0 { edns no;};" doesn't
broke resolving/anything (except of dnssec queries).
On 22.06.2010 / 10:14:36 -0700, Bill Buhlman wrote:
> another example:
>
> dig +short rs.dns-oarc.net txt
> rst.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> "Tested at 2010-06-22 17:11:44 UTC"
> "169.199.1.1 sent EDNS buffer size 4096"
> "169.199.1.1 DNS reply size limit is at least 3843"
>
> --- On Tue, 6/22/10, Anatoly Pugachev wrote:
>
>
> From: Anatoly Pugachev
> Subject: Re: our isp not supports EDNS?
> To: "Mark Andrews"
> Cc: "Jeff Pang" , bind-us...@isc.org
> Date: Tuesday, June 22, 2010, 8:58 AM
>
>
>
> Mark,
>
> please see below...
>
> On 04.05.2010 / 14:31:25 +1000, Mark Andrews wrote:
> >
> > In message
> > , Je
> > ff Pang writes:
> > > Hello,
> > >
> > > Following the discussions in the list, I made a test on one of our
> > > servers, which is in an ISP's datacenter.
> > >
> > > The result is below:
> > >
> > > $ dig +short rs.dns-oarc.net txt
> > > rst.x476.rs.dns-oarc.net.
> > > rst.x485.x476.rs.dns-oarc.net.
> > > rst.x490.x485.x476.rs.dns-oarc.net.
> > > "218.204.255.72 DNS reply size limit is at least 490"
> > > "218.204.255.72 lacks EDNS, defaults to 512"
> > > "Tested at 2010-05-04 02:23:51 UTC"
> > >
> > > Does this mean our ISP's filrewall block EDNS query/response?
> >
> > Maybe / maybe not. It could just mean that the nameserver itself
> > doesn't support EDNS.
>
> How bad it is, if providers server doesn't support/make eDNS queries?
> Does eDNS support/usage is for DNSSEC protocol only? I mean, that my
> collegue propose to use the following statement in named.conf:
>
> server 0.0.0.0/0 {
> edns no;
> };
>
> in fix to the broken servers, which are doesn't support eDNS queries, for
> example ns51 / ns52.domaincontrol.com ( which are hosting a lot of domains
> http://www.statsinfinity.com/ns_parent_zone_info/DOMAINCONTROL.COM and dig
> +bufsize requests to them are ending with a timeout, so it probably just
> firewall'ed for packets more than 512 bytes long).
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: our isp not supports EDNS?
another example:
dig +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"Tested at 2010-06-22 17:11:44 UTC"
"169.199.1.1 sent EDNS buffer size 4096"
"169.199.1.1 DNS reply size limit is at least 3843"
--- On Tue, 6/22/10, Anatoly Pugachev wrote:
From: Anatoly Pugachev
Subject: Re: our isp not supports EDNS?
To: "Mark Andrews"
Cc: "Jeff Pang" , bind-us...@isc.org
Date: Tuesday, June 22, 2010, 8:58 AM
Mark,
please see below...
On 04.05.2010 / 14:31:25 +1000, Mark Andrews wrote:
>
> In message ,
> Je
> ff Pang writes:
> > Hello,
> >
> > Following the discussions in the list, I made a test on one of our
> > servers, which is in an ISP's datacenter.
> >
> > The result is below:
> >
> > $ dig +short rs.dns-oarc.net txt
> > rst.x476.rs.dns-oarc.net.
> > rst.x485.x476.rs.dns-oarc.net.
> > rst.x490.x485.x476.rs.dns-oarc.net.
> > "218.204.255.72 DNS reply size limit is at least 490"
> > "218.204.255.72 lacks EDNS, defaults to 512"
> > "Tested at 2010-05-04 02:23:51 UTC"
> >
> > Does this mean our ISP's filrewall block EDNS query/response?
>
> Maybe / maybe not. It could just mean that the nameserver itself
> doesn't support EDNS.
How bad it is, if providers server doesn't support/make eDNS queries?
Does eDNS support/usage is for DNSSEC protocol only? I mean, that my
collegue propose to use the following statement in named.conf:
server 0.0.0.0/0 {
edns no;
};
in fix to the broken servers, which are doesn't support eDNS queries, for
example ns51 / ns52.domaincontrol.com ( which are hosting a lot of domains
http://www.statsinfinity.com/ns_parent_zone_info/DOMAINCONTROL.COM and dig
+bufsize requests to them are ending with a timeout, so it probably just
firewall'ed for packets more than 512 bytes long).
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: our isp not supports EDNS?
Mark,
please see below...
On 04.05.2010 / 14:31:25 +1000, Mark Andrews wrote:
>
> In message ,
> Je
> ff Pang writes:
> > Hello,
> >
> > Following the discussions in the list, I made a test on one of our
> > servers, which is in an ISP's datacenter.
> >
> > The result is below:
> >
> > $ dig +short rs.dns-oarc.net txt
> > rst.x476.rs.dns-oarc.net.
> > rst.x485.x476.rs.dns-oarc.net.
> > rst.x490.x485.x476.rs.dns-oarc.net.
> > "218.204.255.72 DNS reply size limit is at least 490"
> > "218.204.255.72 lacks EDNS, defaults to 512"
> > "Tested at 2010-05-04 02:23:51 UTC"
> >
> > Does this mean our ISP's filrewall block EDNS query/response?
>
> Maybe / maybe not. It could just mean that the nameserver itself
> doesn't support EDNS.
How bad it is, if providers server doesn't support/make eDNS queries?
Does eDNS support/usage is for DNSSEC protocol only? I mean, that my
collegue propose to use the following statement in named.conf:
server 0.0.0.0/0 {
edns no;
};
in fix to the broken servers, which are doesn't support eDNS queries, for
example ns51 / ns52.domaincontrol.com ( which are hosting a lot of domains
http://www.statsinfinity.com/ns_parent_zone_info/DOMAINCONTROL.COM and dig
+bufsize requests to them are ending with a timeout, so it probably just
firewall'ed for packets more than 512 bytes long).
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: our isp not supports EDNS?
2010/5/4 Mark Andrews : > > In message , > Je > ff Pang writes: >> >> Does this mean our ISP's filrewall block EDNS query/response? > Thanks Mark. Firstly I was very afraid DNSSEC deployment for root DNS will affect our DNS application (we are a mobile email provider in China), but now it seems won't. I wrote a blog for marking that (maybe it's useful for Chinese reader): http://squidcn.spaces.live.com/blog/cns!B49104BB65206A10!255.entry Thanks again. -- Tech support agent in China http://duxieweb.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: our isp not supports EDNS?
That's what makes this whole discussion so much fun. There don't seem to be any yes/no answers. Based on my reading yesterday and consistent with our findings here it seems the most likely issue is somewhere in the network path rather than the name server itself. You should check your internal routers/switches/firewalls first. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mark Andrews Sent: Tuesday, May 04, 2010 12:31 AM To: Jeff Pang Cc: bind-us...@isc.org Subject: Re: our isp not supports EDNS? In message , Je ff Pang writes: > Hello, > > Following the discussions in the list, I made a test on one of our > servers, which is in an ISP's datacenter. > > The result is below: > > $ dig +short rs.dns-oarc.net txt > rst.x476.rs.dns-oarc.net. > rst.x485.x476.rs.dns-oarc.net. > rst.x490.x485.x476.rs.dns-oarc.net. > "218.204.255.72 DNS reply size limit is at least 490" > "218.204.255.72 lacks EDNS, defaults to 512" > "Tested at 2010-05-04 02:23:51 UTC" > > Does this mean our ISP's filrewall block EDNS query/response? Maybe / maybe not. It could just mean that the nameserver itself doesn't support EDNS. > Thanks. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: our isp not supports EDNS?
In message , Je ff Pang writes: > Hello, > > Following the discussions in the list, I made a test on one of our > servers, which is in an ISP's datacenter. > > The result is below: > > $ dig +short rs.dns-oarc.net txt > rst.x476.rs.dns-oarc.net. > rst.x485.x476.rs.dns-oarc.net. > rst.x490.x485.x476.rs.dns-oarc.net. > "218.204.255.72 DNS reply size limit is at least 490" > "218.204.255.72 lacks EDNS, defaults to 512" > "Tested at 2010-05-04 02:23:51 UTC" > > Does this mean our ISP's filrewall block EDNS query/response? Maybe / maybe not. It could just mean that the nameserver itself doesn't support EDNS. > Thanks. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
