[dns-operations] uspto.gov
Mark Andrews
marka at isc.org
Mon May 17 22:47:46 UTC 2010
In message <87sk5qwlct.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> uspto.gov is signed, but the servers for that zone cannot reliably
> deliver the DNSKEY RRset. Curiously, the smaller trailing fragment
> seems to be missing. It's probably not even a case of not doing PMTUD
> properly, it happens with a 1500 MTU, too. (This has been observed
> with the 151.207.240.50 server, but others don't work, either.)
>
> Is anybody interested in debugging this?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
It sounds like a firewall that doesn't know / isn't configured to
allow fragments other that the first through.
The DNS administrator there seems to want to get things fixed, but
is having trouble working with the firewall administrators to get
a working configuration. Providing external feedback to her will
help get the firewall fixed.
Mark
bsdi# tcpdump -i sis0 -s 0 -n -p host 151.207.246.51
tcpdump: listening on sis0
08:44:22.149011 211.30.172.21.56298 > 151.207.246.51.53: 63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
08:44:22.396169 151.207.246.51.53 > 211.30.172.21.56298: 63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17340:1480 at 0+)
08:44:27.173490 211.30.172.21.56298 > 151.207.246.51.53: 63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
08:44:27.423744 151.207.246.51.53 > 211.30.172.21.56298: 63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17341:1480 at 0+)
08:44:32.202189 211.30.172.21.56298 > 151.207.246.51.53: 63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
08:44:32.447367 151.207.246.51.53 > 211.30.172.21.56298: 63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17342:1480 at 0+)
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list