[dns-operations] k.root-servers.net

Simon Leinen simon at limmat.switch.ch
Wed Apr 11 21:07:19 UTC 2007 

Simon Waters writes:
> Probably nothing, but I've had a few message over the last 2 weeks, all 
> about "k.root-servers.net" from recursive server running BIND 9.2.4 (Debian 
> Sarge).

> Just me? Known issue?

> Apr 10 08:28:04 localhost kernel: UDP: short packet: 193.0.14.129:53 63027/117 
> to 212.24.80.26:20

Our (relatively lightly used) recursive nameservers also run Linux,
and we see these messages sporadically as well.  Not for K-Root (we
use a different instance, "k1.cern" in Geneva), but from other
nameservers

    $ dmesg | grep 'UDP: short packet'
    UDP: short packet: From 201.6.0.102:53 126/124 to aa.bb.cc.dd:32791
    UDP: short packet: From 198.32.64.12:53 10938/437 to aa.bb.cc.dd:80
    UDP: short packet: From 201.6.0.102:53 130/128 to aa.bb.cc.dd:33210
    UDP: short packet: From 201.6.0.102:53 126/124 to aa.bb.cc.dd:33210
    UDP: short packet: From 201.6.0.102:53 126/124 to aa.bb.cc.dd:33210
    UDP: short packet: 98/57
    UDP: short packet: 98/57
    UDP: short packet: 98/57
    UDP: short packet: From 201.6.0.102:53 126/124 to aa.bb.cc.dd:33512
    UDP: short packet: From 65.173.218.95:33749 27272/81 to aa.bb.cc.ee:53

(Sorry, no timestamps, but the extent of the log is 176 days.)

Note that one of these addresses is an instance (lax-01) of
L.ROOT-SERVERS.NET [198.32.64.12].

There seem to be two types of errors; for 201.6.0.102, the UDP size
field is off by two.  For the other two servers (L-Root and
65.173.218.95), the UDP size field seems totally whacky, similar to
your K-Root examples.

It would be interesting to find out whether some of the servers run a
common operating system.  If so, I would suspect an OS bug that
sometimes causes the UDP length field to be incorrect.

So could the K-Root and L-Root operators check whether their
respective boxes in London and L.A. run the same OS?

It could also be a misbehaving middlebox.  In our case, the server is
connected directly to a backbone router with no firewall or other
middlebox in front of it, so the middlebox would have to be near the
servers.  Load balancer?
-- 
Simon.

More information about the dns-operations mailing list