[dns-operations] Strange problem with fragmented DNS responses from b.iana-servers.net
michael at rancid.berkeley.edu
Mon Dec 8 23:14:39 UTC 2008
On 12/08/08 13:38, Duane Wessels wrote:
> Hi Everyone,
> A few weeks ago while working on the TLDmon scripts I noticed a
> strange problem with b.iana-servers.net. That server is one of
> three that are authoritative for some IDN TLDs such as XN--9T4B11YI5A
> and XN--KGBECHTV.
> The problem I'm having is with this query:
> dig +bufsiz=2048 @b.iana-servers.net XN--9T4B11YI5A rrsig
> The response is larger than 1500 bytes so it gets fragmented. I
> receive the first fragment, but not the second. But this only
> happens when I query from hosts on ISC's network.
It doesn't work for me when I query from a host with a host-based
firewall, like IPF or PF (on Solaris and FreeBSD respectively), where I
do NOT have "scrub in all" configured (in the case of PF). When I
either have scrubbing turned on or where (I)PF is turned off entirely, I
get what appears to be the correct response. You might want to look
into any host-based FWs that are running on the host you're using at ISC.
More information about the dns-operations