[dns-operations] EDNS issue

Frank Bulk frnkblk at iname.com
Fri Feb 25 04:39:45 UTC 2011 

Mark:

Our borders routers blog fragments:

	Edge1#sh run | inc frag
	access-list 101 deny   tcp any any log fragments
	access-list 101 deny   udp any any log fragments
	access-list 101 deny   icmp any any log fragments
	access-list 101 deny   ip any any log fragments
	Edge1#

Not sure if that's the same kind of fragments as you're talking about.  

The first query failed, the second didn't.  Do I need to be making some
changes to our border routers?

root at nagios:/etc/cron.hourly# dig @140.172.17.237 +dnssec
forecast.weather.gov

; <<>> DiG 9.5.1-P3 <<>> @140.172.17.237 +dnssec forecast.weather.gov
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
root at nagios:/etc/cron.hourly# dig @140.172.17.237 +dnssec
forecast.weather.gov +bufsize=1400

; <<>> DiG 9.5.1-P3 <<>> @140.172.17.237 +dnssec forecast.weather.gov
+bufsize=1400
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12832
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;forecast.weather.gov.          IN      A

;; ANSWER SECTION:
forecast.weather.gov.   5       IN      CNAME   edge-ext.lb.noaa.gov.
forecast.weather.gov.   5       IN      RRSIG   CNAME 5 3 5 20110303213142
20110224213142 17808 weather.gov.
B/ga+/E+QUWvvGxAbCqcekDsZj0H0cCnYtB3n4/SPiRaGQZyLTbKHAFr
U2wsBQdecrAwtcbMA1eIHpqVw1c15H6L6m2931fUJ0uUXk9ahBiBIf5h
ztst05qoFrbotqFiZjO4sYTOK02YxSnmSWv0RpFIYzMGd9vYL4mpC7EF
mM0/97QBJTMI51dZPU2tLuLXYc7ZX3psKM145r90vp3HMZU4h+dCkl6S
QcVq23qy/3UHvw50G1N3HHwIp0asExGQ2dJilWDk/1/jsAAV87GzA+sg
+0pjPnd45Rdd/HC1thj/Bq4KK6FOLzzWFAey5HpWvxt1o5Mnh7c8rPeK V8puqA==
edge-ext.lb.noaa.gov.   30      IN      A       129.15.96.22
edge-ext.lb.noaa.gov.   30      IN      A       140.90.33.21
edge-ext.lb.noaa.gov.   30      IN      A       140.90.33.22
edge-ext.lb.noaa.gov.   30      IN      A       140.90.200.22
edge-ext.lb.noaa.gov.   30      IN      A       140.172.17.22
edge-ext.lb.noaa.gov.   30      IN      RRSIG   A 5 4 30 20110304033622
20110225033622 38565 lb.noaa.gov.
qAGLlVt9kZbwvP9DGodd+a/IHX/l+jY/7Pkk7Pcss4nuaKEL01H5TmsF
37CPDz8oaSHSX0PnVz7aMh3LDAjyEupgF7Rcqh0eu+9bQQBy8D+/h4LI
7Zrqa+t2Km4Ummx6Xn3miHqHHFyheMlMvUKXzdQZRvwrMYYkAPHYDFU/
RB23/jRb5ng5tHvyuFz2rp5TjL4j1wJbusHKkwa9EHJPEjmPPTufNz6/
aVM69UN/sIjwhr/JMjonwLswk/5+PUu4FieOl6ot6d/8HPn9/x5uad+N
uKY9v0RV7pDvqnUyR0rR+vWCHu5TGVc/8MKNRmdToNmGQNEFXGxxn1sB Fh6Djg==

;; AUTHORITY SECTION:
lb.noaa.gov.            86400   IN      NS      ns-mw.noaa.gov.
lb.noaa.gov.            86400   IN      NS      ns-nw.noaa.gov.
lb.noaa.gov.            86400   IN      NS      ns-e.noaa.gov.
lb.noaa.gov.            86400   IN      RRSIG   NS 5 3 86400 20110304033622
20110225033622 38565 lb.noaa.gov.
MWFCzQO4u74tqr7lxAuzT5LEEZPl45BHabC5ftC96Ufd8GB7n/AqOppT
kO01bwAZBt30FBGShq1R+wc0nPFlLzJE5flyvA5dJwlF6jDh5fL9xt80
UFEwlGdS/ogPeKdgNKrIMQ+VlMn5sd3rhaff9+rfIH3Bx38B8pZiQt5q
Ii+vll/ASbHiLO91G6b6Ht8XoWn2y/jwQVAhApCI8DMswISqUZcQVoix
V9OllJowlvuEJx/lFZYHjMibnHEZsSLr+mccMvB0tt46fdm3u7aDsUHr
OrTLG6bh60AnyYtb+zExc2odyzlEx+AE+U72HWn7fhHg7HRbiXzYvfcZ x5yrOw==

;; ADDITIONAL SECTION:
ns-e.noaa.gov.          86400   IN      A       140.90.33.237
ns-mw.noaa.gov.         86400   IN      A       140.172.17.237
ns-nw.noaa.gov.         86400   IN      A       161.55.32.2

;; Query time: 55 msec
;; SERVER: 140.172.17.237#53(140.172.17.237)
;; WHEN: Thu Feb 24 22:36:56 2011
;; MSG SIZE  rcvd: 1164

root at nagios:/etc/cron.hourly#

-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org] 
Sent: Thursday, February 24, 2011 7:27 PM
To: frnkblk at iname.com
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] EDNS issue


In message <006d01cbd482$d54e5a30$7feb0e90$@iname.com>, "Frank Bulk" writes:
> Our ISP helpdesk has been receiving a lot of complaints about their
> inability to check the weather weather.gov, specifically,
> forecast.weather.gov.  Some digs showed that queries were failing, and my
> BIND logs show the same:

Make sure you can receive fragmented UDP responses.  The servers
are sending good reponses.

;; Query time: 201 msec
;; SERVER: 140.172.17.237#53(ns-mw.noaa.gov)
;; WHEN: Fri Feb 25 12:17:01 2011
;; MSG SIZE  rcvd: 2052

Try the following two queries.  The first response will be fragmented
and the second shouldn't be fragmented.

dig @140.172.17.237 +dnssec forecast.weather.gov
dig @140.172.17.237 +dnssec forecast.weather.gov +bufsize=1400

Mark

> Feb 24 18:25:12 10.20.0.100 named[2603]: too many timeouts resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?): disabling EDNS
> Feb 24 18:25:36 199.120.69.22 named[5289]: success resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
> Feb 24 18:25:37 10.20.0.200 named[2583]: success resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
> Feb 24 18:25:38 10.20.0.100 named[2603]: too many timeouts resolving
> 'forecast.weather.gov/A' (in 'weather.gov'?): disabling EDNS
> Feb 24 18:25:39 199.120.69.22 named[5289]: success resolving
> 'radar.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
EDNS
> UDP packet size to 512 octets
> Feb 24 18:25:40 199.120.69.22 named[5289]: success resolving
> 'www.weather.gov/A' (in 'weather.gov'?) after reducing the advertised EDNS
> UDP packet size to 512 octets
> Feb 24 18:25:42 10.20.0.200 named[2583]: success resolving
> 'radar.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
EDNS
> UDP packet size to 512 octets
> Feb 24 18:25:42 10.20.0.100 named[2603]: too many timeouts resolving
> 'radar.weather.gov/A' (in 'weather.gov'?): disabling EDNS
> 
> 
> A quick check showed the following:
> 
>   mail1:~# dig -4 +short rs.dns-oarc.net txt
>   rst.x1002.rs.dns-oarc.net.
>   rst.x1994.x1002.rs.dns-oarc.net.
>   rst.x2495.x1994.x1002.rs.dns-oarc.net.
>   "Tested at 2011-02-25 00:20:31 UTC"
>   "2607:fe28:0:1003:223:7dff:fe9c:4aa5 sent EDNS buffer size 4096"
>   "2607:fe28:0:1003:223:7dff:fe9c:4aa5 DNS reply size limit is at
> least 2495"
>   mail1:~#
>   mail1:~# dig forecast.weather.gov
> 
>   ; <<>> DiG 9.3.4-P1.1 <<>> forecast.weather.gov
>   ;; global options:  printcmd
>   ;; connection timed out; no servers could be reached
> 
> Does this make sense?  EDNS of size 512 shouldn't be an issue, yet all 7
> *nix DNS servers (the first one is above) running BIND complain.  The
first
> four of the DNS servers are behind an old F5 BigIP, the others aren't.
> 
>   root at nagios:/var/log#  dig -4 +short rs.dns-oarc.net txt
>   rst.x1002.rs.dns-oarc.net.
>   rst.x1222.x1002.rs.dns-oarc.net.
>   rst.x1403.x1222.x1002.rs.dns-oarc.net.
>   "96.31.0.5 DNS reply size limit is at least 1403"
>   "Tested at 2011-02-25 00:24:38 UTC"
>   "96.31.0.5 sent EDNS buffer size 4096"
>   root at nagios:/var/log#
>   root at nagios:/var/log# dig forecast.weather.gov
> 
>   ; <<>> DiG 9.5.1-P3 <<>> forecast.weather.gov
>   ;; global options:  printcmd
>   ;; connection timed out; no servers could be reached
>   root at nagios:/var/log#
> 
> Any ideas?  Querying our corporate Microsoft DNS server, behind a Cisco
ASA,
> works fine!
> 
> Frank Bulk
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list