[dns-operations] uspto.gov

Mark Andrews marka at isc.org
Mon May 17 22:47:46 UTC 2010


In message <87sk5qwlct.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> uspto.gov is signed, but the servers for that zone cannot reliably
> deliver the DNSKEY RRset.  Curiously, the smaller trailing fragment
> seems to be missing.  It's probably not even a case of not doing PMTUD
> properly, it happens with a 1500 MTU, too.  (This has been observed
> with the 151.207.240.50 server, but others don't work, either.)
> 
> Is anybody interested in debugging this?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

It sounds like a firewall that doesn't know / isn't configured to
allow fragments other that the first through.

The DNS administrator there seems to want to get things fixed, but
is having trouble working with the firewall administrators to get
a working configuration.  Providing external feedback to her will
help get the firewall fixed.

Mark

bsdi# tcpdump -i sis0 -s 0 -n -p host 151.207.246.51
tcpdump: listening on sis0
08:44:22.149011 211.30.172.21.56298 > 151.207.246.51.53:  63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
08:44:22.396169 151.207.246.51.53 > 211.30.172.21.56298:  63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17340:1480 at 0+)
08:44:27.173490 211.30.172.21.56298 > 151.207.246.51.53:  63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
08:44:27.423744 151.207.246.51.53 > 211.30.172.21.56298:  63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17341:1480 at 0+)
08:44:32.202189 211.30.172.21.56298 > 151.207.246.51.53:  63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
08:44:32.447367 151.207.246.51.53 > 211.30.172.21.56298:  63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17342:1480 at 0+)

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list