[dns-operations] Way to test remote EDNS capability?

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Tue Jun 11 20:41:12 UTC 2013 


----- Original Message -----
> 
> > Meanwhile I've been trying 'dig +bufsize=4096' and it seems to
> > succeed more
> > often than it fails. In one particular zone 4 of the 5 auth name
> > server
> > addresses succeeded, but the one that failed failed with both
> > +bufsize=4096
> > and +bufsize=512. Is it possible that named (BIND 9.9.3-p1) just
> > happened to
> > hit the failing server first, then it happened to work when it
> > backed the
> > packet size off and tried another server?
> >
> 
> I would think that reducing the EDNS maximum UDP payload size is done
> on a per-server basis, not on a per-zone basis, but that's pure
> speculation.
> 
> Casey

I had played around with the replysize tester a while back....  Found that I have a pair of DNS servers (my datacenter caching resolvers)...where the reply size limit will come back with a size limit of 38xx or 10xx.  I had done a script to check every 61 seconds to see if there was anyway to figure out when/why, but no luck.

All four combinations of the size limit will occur at various times throughout the day.  Not sure about distribution, I see 10xx more often when I'm watching....  But, I haven't heard of anybody having trouble with DNS queries, so haven't really pushed too hard on trying get network and IT security to see what might be interfering with these DNS server.

----

Back when I first upgraded to a bind with managed-keys....I was getting interference where it was constantly complaining about something related to managing keys...and after a few days, the resolver would stop resolving.  Restarting bind would get things working again...I guess it'll work off the compiled in key for a while, until it gets the latest key which is the same as the compiled in one....but if it can't...it hangs itself?

Since the problem started when IT security installed a Procera device....turns out the Procera considers large udp packets that appear to encrypted as P2P.  All my DNS servers are supposed to be exempted from the Procera now, which they say they have confirmed to still be when I first reported the strange replysize results back in December.

----

I do know that the datacenter DNS server take a different path in and out of campus....namely because they and most of the datacenter are behind a BigIP-LTM sandwich. 

Lawrence

More information about the dns-operations mailing list