[dns-operations] Strange problem with fragmented DNS responses from b.iana-servers.net

Michael Sinatra michael at rancid.berkeley.edu
Mon Dec 8 23:14:39 UTC 2008

On 12/08/08 13:38, Duane Wessels wrote:
> Hi Everyone,
> A few weeks ago while working on the TLDmon scripts I noticed a
> strange problem with b.iana-servers.net.  That server is one of
> three that are authoritative for some IDN TLDs such as XN--9T4B11YI5A
> The problem I'm having is with this query:
>    dig +bufsiz=2048 @b.iana-servers.net XN--9T4B11YI5A rrsig
> The response is larger than 1500 bytes so it gets fragmented.  I
> receive the first fragment, but not the second.  But this only
> happens when I query from hosts on ISC's network.

It doesn't work for me when I query from a host with a host-based 
firewall, like IPF or PF (on Solaris and FreeBSD respectively), where I 
do NOT have "scrub in all" configured (in the case of PF).  When I 
either have scrubbing turned on or where (I)PF is turned off entirely, I 
get what appears to be the correct response.  You might want to look 
into any host-based FWs that are running on the host you're using at ISC.


More information about the dns-operations mailing list