[dns-operations] uspto.gov

Eric Osterweil eoster at cs.ucla.edu
Tue May 25 05:11:10 UTC 2010


Hey Karen,

SecSpider ( http://secspider.cs.ucla.edu/ ) is a distributed polling system that tests for the health of DNSSEC zones.  Among other things, it tests the availability of DNSKEYs from its globally diverse polling locations so that we can see if there are problems and help quantify them.  We actually track your zone at:
	http://secspider.cs.ucla.edu/uspto-gov--zone.html

I'm hoping that this page will be helpful in debugging and verifying your zone.

Eric

On May 17, 2010, at 3:51 PM, Lear, Karen (Evolver) wrote:

> Thanks...we are looking into this now and after we implement changes, I would welcome your support in testing.
> 
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Mark Andrews
> Sent: Monday, May 17, 2010 6:48 PM
> To: Florian Weimer
> Cc: dns-operations at mail.dns-oarc.net
> Subject: Re: [dns-operations] uspto.gov
> 
> 
> In message <87sk5qwlct.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>> uspto.gov is signed, but the servers for that zone cannot reliably
>> deliver the DNSKEY RRset.  Curiously, the smaller trailing fragment
>> seems to be missing.  It's probably not even a case of not doing PMTUD
>> properly, it happens with a 1500 MTU, too.  (This has been observed
>> with the 151.207.240.50 server, but others don't work, either.)
>> 
>> Is anybody interested in debugging this?
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> It sounds like a firewall that doesn't know / isn't configured to
> allow fragments other that the first through.
> 
> The DNS administrator there seems to want to get things fixed, but
> is having trouble working with the firewall administrators to get
> a working configuration.  Providing external feedback to her will
> help get the firewall fixed.
> 
> Mark
> 
> bsdi# tcpdump -i sis0 -s 0 -n -p host 151.207.246.51
> tcpdump: listening on sis0
> 08:44:22.149011 211.30.172.21.56298 > 151.207.246.51.53:  63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
> 08:44:22.396169 151.207.246.51.53 > 211.30.172.21.56298:  63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17340:1480 at 0+)
> 08:44:27.173490 211.30.172.21.56298 > 151.207.246.51.53:  63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
> 08:44:27.423744 151.207.246.51.53 > 211.30.172.21.56298:  63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17341:1480 at 0+)
> 08:44:32.202189 211.30.172.21.56298 > 151.207.246.51.53:  63425 [1au] DNSKEY? uspto.gov. ar: OPT UDPsize=2048,DO=1 (38)
> 08:44:32.447367 151.207.246.51.53 > 211.30.172.21.56298:  63425*- 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG[|domain] (frag 17342:1480 at 0+)
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100524/1b67b940/attachment.sig>


More information about the dns-operations mailing list