[dns-operations] EDNS issue

Mark Andrews marka at isc.org
Fri Feb 25 01:26:42 UTC 2011 

In message <006d01cbd482$d54e5a30$7feb0e90$@iname.com>, "Frank Bulk" writes:
> Our ISP helpdesk has been receiving a lot of complaints about their
> inability to check the weather weather.gov, specifically,
> forecast.weather.gov.  Some digs showed that queries were failing, and my
> BIND logs show the same:

Make sure you can receive fragmented UDP responses.  The servers
are sending good reponses.

;; Query time: 201 msec
;; SERVER: 140.172.17.237#53(ns-mw.noaa.gov)
;; WHEN: Fri Feb 25 12:17:01 2011
;; MSG SIZE  rcvd: 2052

Try the following two queries.  The first response will be fragmented
and the second shouldn't be fragmented.

dig @140.172.17.237 +dnssec forecast.weather.gov
dig @140.172.17.237 +dnssec forecast.weather.gov +bufsize=1400

Mark

> Feb 24 18:25:12 10.20.0.100 named[2603]: too many timeouts resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?): disabling EDNS
> Feb 24 18:25:36 199.120.69.22 named[5289]: success resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
> Feb 24 18:25:37 10.20.0.200 named[2583]: success resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
> Feb 24 18:25:38 10.20.0.100 named[2603]: too many timeouts resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?): disabling EDNS
> Feb 24 18:25:39 199.120.69.22 named[5289]: success resolving
> 'radar.weather.gov/A' (in 'weather.gov'?) after reducing the advertised EDNS
> UDP packet size to 512 octets
> Feb 24 18:25:40 199.120.69.22 named[5289]: success resolving
> 'www.weather.gov/A' (in 'weather.gov'?) after reducing the advertised EDNS
> UDP packet size to 512 octets
> Feb 24 18:25:42 10.20.0.200 named[2583]: success resolving
> 'radar.weather.gov/A' (in 'weather.gov'?) after reducing the advertised EDNS
> UDP packet size to 512 octets
> Feb 24 18:25:42 10.20.0.100 named[2603]: too many timeouts resolving
> 'radar.weather.gov/A' (in 'weather.gov'?): disabling EDNS
> 
> 
> A quick check showed the following:
> 
> 	mail1:~# dig -4 +short rs.dns-oarc.net txt
> 	rst.x1002.rs.dns-oarc.net.
> 	rst.x1994.x1002.rs.dns-oarc.net.
> 	rst.x2495.x1994.x1002.rs.dns-oarc.net.
> 	"Tested at 2011-02-25 00:20:31 UTC"
> 	"2607:fe28:0:1003:223:7dff:fe9c:4aa5 sent EDNS buffer size 4096"
> 	"2607:fe28:0:1003:223:7dff:fe9c:4aa5 DNS reply size limit is at
> least 2495"
> 	mail1:~#
> 	mail1:~# dig forecast.weather.gov
> 
> 	; <<>> DiG 9.3.4-P1.1 <<>> forecast.weather.gov
> 	;; global options:  printcmd
> 	;; connection timed out; no servers could be reached
> 
> Does this make sense?  EDNS of size 512 shouldn't be an issue, yet all 7
> *nix DNS servers (the first one is above) running BIND complain.  The first
> four of the DNS servers are behind an old F5 BigIP, the others aren't.
> 
> 	root at nagios:/var/log#  dig -4 +short rs.dns-oarc.net txt
> 	rst.x1002.rs.dns-oarc.net.
> 	rst.x1222.x1002.rs.dns-oarc.net.
> 	rst.x1403.x1222.x1002.rs.dns-oarc.net.
> 	"96.31.0.5 DNS reply size limit is at least 1403"
> 	"Tested at 2011-02-25 00:24:38 UTC"
> 	"96.31.0.5 sent EDNS buffer size 4096"
> 	root at nagios:/var/log#
> 	root at nagios:/var/log# dig forecast.weather.gov
> 
> 	; <<>> DiG 9.5.1-P3 <<>> forecast.weather.gov
> 	;; global options:  printcmd
> 	;; connection timed out; no servers could be reached
> 	root at nagios:/var/log#
> 
> Any ideas?  Querying our corporate Microsoft DNS server, behind a Cisco ASA,
> works fine!
> 
> Frank Bulk
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list