[dns-operations] Strange problem with fragmented DNS responses from b.iana-servers.net

Duane Wessels wessels at dns-oarc.net
Mon Dec 8 21:38:41 UTC 2008

Hi Everyone,

A few weeks ago while working on the TLDmon scripts I noticed a
strange problem with b.iana-servers.net.  That server is one of
three that are authoritative for some IDN TLDs such as XN--9T4B11YI5A

The problem I'm having is with this query:

    dig +bufsiz=2048 @b.iana-servers.net XN--9T4B11YI5A rrsig

The response is larger than 1500 bytes so it gets fragmented.  I
receive the first fragment, but not the second.  But this only
happens when I query from hosts on ISC's network.

The query works if the query is changed to one of the other TLDs
such as XN--KGBECHTV

The query works for a.iana-servers.net and c.iana-servers.net.

The query works over TCP.

The query works from non-ISC hosts that I have been able to test

The folks at ICANN ran tcpdump on the server and we saw both fragments
leave the server.

So far the problem seems localized to ISC's network, but we are at
a loss to explain what could be causing it.  ISC tells me they have
no packet filters on their peer/transit provider links.

I'm really curious if anyone else sees this problem from their own
networks or not.

Duane W.

More information about the dns-operations mailing list