[dns-operations] gpo.gov issues

Timothy Morizot tmorizot at gmail.com
Thu Oct 31 21:00:21 UTC 2013 

Hello all,

I've encountered an issue resolving MX records from gpo.gov. It's unlike
anything I've encountered before and I'm stumped. It took me a while to
figure out why resolution of just that one record type for the zone was
failing. But I was finally able to recreate it. (The queries below are from
my home network since I have more access and it's easier to pull examples
here than at work. But I reproduced the same thing at work.) Because we had
encountered issues getting fragmented UDP responses from some authoritative
servers for DNSSEC signed zones with an edns0 buffer of 4096 (presumably
because they were blocking outbound udp fragments on their firewalls) we've
reduced the advertised buffer size on our caches to 1280. When I query the
authoritative nameservers for gpo.gov directly with a bufsize of 4096, I
get a response. When I try an intermediate buffer size, the query times
out. When I reduce it all the way to 512 bytes, I get a response again.

When I run the same queries (well, obviously without +norecurse) through an
intermediate cache (my own personal one with a 4096 buffer size, the OVDR
servers, etc.) I get a response for all specified buffer sizes. I don't
have a similar problem querying any other authoritative nameserver for a
signed zone that I can find. I'm stumped. And it's just MX record queries.
SOA, DNSKEY, A, and NS responses all work just fine with different buffer
sizes.

Anyone have any ideas?

Thanks,

Scott

==========================================================================

dig @ns1.gpo.gov gpo.gov mx +dnssec +norecurse +bufsize=4096

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @ns1.gpo.gov
gpo.govmx +dnssec +norecurse +bufsize=4096
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6458
;; flags: qr aa ad; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gpo.gov.                       IN      MX

;; ANSWER SECTION:
gpo.gov.                3600    IN      MX      10 hqsmtp01.gpo.gov.
gpo.gov.                3600    IN      MX      30 acfsmtp01.gpo.gov.
gpo.gov.                3600    IN      MX      20 hqsmtp02.gpo.gov.
gpo.gov.                3600    IN      RRSIG   MX 8 2 3600 20131106191056
20131030191056 31164 gpo.gov.
ZksyQ1oJjbToW/+BURUj1wTvStDUUEXhEqbbo2i0W+fJitY+FooTnU0Z
hs5HaS5y8/nvZyy0DHDxwX2RkfJFc9XsHWrf9NxGtjzNwYWrz1IdmV4n
lmp7uYQYvXVWukh4ZceGsvdFNpiUp18qTEFMRlv3EvEgROa7CWgt1rif FFU=
gpo.gov.                3600    IN      RRSIG   MX 8 2 3600 20131106211107
20131030211107 52704 gpo.gov.
LypsGT8FFAcNInpWpVrBuYWqAH6Hp6ae9SEIvbNd2P4bn33nV9k4UdAD
NvOLHlnI380OIyAbpcoHwVupwJERU97Kf4e+b5cOqq5i0imfJ526+9zV
XHpreaEE3GgN6PG9F8LffYvHGMBNK5KjEZr/tITXnHrPPdwJ22FXackw XoM=

;; AUTHORITY SECTION:
gpo.gov.                28800   IN      NS      ns2.gpo.gov.
gpo.gov.                28800   IN      NS      ns1.gpo.gov.
gpo.gov.                28800   IN      RRSIG   NS 8 2 28800 20131106200633
20131030200633 31164 gpo.gov.
MzZVRvDEWaE5NA73TxRkWhDHqUKCQOCNc/MSTw3BPyLbHool4RDBUVxn
16ulk8ZM0wWhVfdSS8ic6aguF0MDNRSca+RaOmCd4LJf9UtPCAAH78Ex
2kGEa2POmEu1IsCI0Nyz4oEuJJ5/zsDVa+qF3ng/qP21jbEzW0EwCk0x RIk=
gpo.gov.                28800   IN      RRSIG   NS 8 2 28800 20131106205153
20131030205153 52704 gpo.gov.
vrSbhbK9lNVSM+z+ErJFXckKCZQocoXT+kNFBsA9XzWcD0rlXZKhyUW/
IqlqcqSLVIDAZvEjCJOueoSg9LwIVslRXjtD0oDx7doiksQzsdlbCI29
GTjyZBUNPCF5awQ71ACFr+VYGweJ1+QMazTBeuYnJXmjk031/KY0Qlzy tvM=

;; ADDITIONAL SECTION:
acfsmtp01.gpo.gov.      28800   IN      A       162.140.252.175
acfsmtp01.gpo.gov.      28800   IN      RRSIG   A 8 3 28800 20131107200340
20131031200340 31164 gpo.gov.
EKWNOkSTBJc2WzddWLYtTP50sD8dHwQm4ikB9sDLfkp52bEC1rcAfwFf
TdTUlHt6bcKaBuWX3MRGanL9tCpmJxYMEl02JTlLwoqId8Jay7TeNAZK
HAF7D9c1MRMgVwZY7QAqgvmhdI0t2cnpL6WcJ2goIfQcSuSsmK8afL+p U5o=
acfsmtp01.gpo.gov.      28800   IN      RRSIG   A 8 3 28800 20131106185143
20131030185143 52704 gpo.gov.
es1WvENsCcUTjIwlp3ZFkEthXXsWROpG6XU0eWuHj4mRD54uMRBXTS/v
yyNgwF0QUie/47ZudgGeWiSYK7aCJGO5p1Xo6tZAotdGCOCKCTfsI5bb
ponLHOjk9rqV0SG2a7weyXicYq4xZwrX9acbeu72HZLZK+AeWhyaJ6/z Hyo=
hqsmtp02.gpo.gov.       28800   IN      A       162.140.64.7
hqsmtp02.gpo.gov.       28800   IN      RRSIG   A 8 3 28800 20131107123314
20131031123314 31164 gpo.gov.
jVmMwDwYo8x8jBIqyjsmtW0jEOV3QcNP044YYMvvBBZTVyIwAqjUL+Uz
S7ak1aPm8ayc+uJSPN61cy2Y4vIKSzhU0QULv2H8Zb4cyIN23vhkuNzd
hcVCpN/wgcLgbieTVifd2lGA7udcvMx+srs18b9iewBfEB2AlLS7wJB9 St8=
hqsmtp02.gpo.gov.       28800   IN      RRSIG   A 8 3 28800 20131107153751
20131031153751 52704 gpo.gov.
pP49evlU9CiIS5Y3IQJ34OI3kN52mOmCzE00b9FvcBQvjZLcg5YuBR+M
Qm7SemuLy55/aNKDjx24hk2ClRG5lxj35SQKGa8pa5oMvou3dxDY4+Lx
sfyZZ/cgmWK4fIeMsL0b3gxNSHOOsnB9XR3aPsJvfFX8TD8Jp1mkXGyj McQ=
hqsmtp01.gpo.gov.       28800   IN      A       162.140.64.8
hqsmtp01.gpo.gov.       28800   IN      RRSIG   A 8 3 28800 20131107163748
20131031163748 31164 gpo.gov.
OUO3Fk1XpvTyIqDR1WiFn3nXwGrAnTUAD3uI53gsoKO7bdOX69Nhp0Ar
R3LjjBxkG4o5OKpLRDfqBnGS0YwWAFUNHNMz/gAcBOn98RjLFWfe7LXn
An5DiROxh7/M4jgT/XBdeMARHGGcAHy25aRa8M1+pxK9tnOhzet7edYQ f5A=
hqsmtp01.gpo.gov.       28800   IN      RRSIG   A 8 3 28800 20131107194035
20131031194035 52704 gpo.gov.
sqWMFslhQGJHUYuuNpC4sA7gbXPZ0+rI1Iw5QFG3snBso+9UfywVCsNC
a4Eqy5h2fsIoMLRjtRRcTt2/p7qK6sfjPzhFxnV/QYpUnpKB5jyR2GxW
D25VJ76uOFjTafALZuinEn/uyUbN3e5IuGbYvgPqBuLbvPthQ5fOfn7m BU0=
ns2.gpo.gov.            28800   IN      A       162.140.252.180
ns2.gpo.gov.            28800   IN      RRSIG   A 8 3 28800 20131106175946
20131030175946 31164 gpo.gov.
CQwsTtIcUF8fv3dfjo2k8Y0dT1K5uvEOKNjDifK9zHJVDhNoy1tCMB7/
wdiGRY7c8XsFxy9A6MjgowBdSu5RV7l6TuiOezX/nOLC1XlwPp/zyUoL
44kQh47ewLdNHOz+QUC5AmRlOu1GwUWnmov26qQ/eU6wONABDx2dhrBs 0U4=
ns2.gpo.gov.            28800   IN      RRSIG   A 8 3 28800 20131106211705
20131030211705 52704 gpo.gov.
gSg10L9Fg71yucsHDX1Owu9WgwxdqJZz+g3uWPYypzBSWOrJYrkJdL++
PbZZz+o2MAR2TCOO6n43+vq5bcel/2p254kqKLZ9FmKrht3O7fn17Tqr
JVFVBmH9jqNgn5boy5iF/Jam+6WLRnL1ji8VANmAt1xSqdtXZ2mm5Wyf aCM=
ns1.gpo.gov.            28800   IN      A       162.140.64.100
ns1.gpo.gov.            28800   IN      RRSIG   A 8 3 28800 20131106190716
20131030190716 31164 gpo.gov.
bTBhsjnCfKYangIwL/Pk77ZvwsoH/Y0hYdnJsQFYE8wOBztIRKAHFDjr
lvnBOquWbgl6qrNqEzWlt5rkHlrBQHduwpwn560gy/zKed8Z0QcycCB9
cK6rl2qRkolikqzbaTs/CHDdtA/WmH8b1basRinazKDVsuOzgs1kO/K9 Bs4=
ns1.gpo.gov.            28800   IN      RRSIG   A 8 3 28800 20131106204627
20131030204627 52704 gpo.gov.
EXpqFW741L1EguseTqzWNaFaNMw1yNLNoNUcBSy+9Ay+V/1C37GA4f8C
pl9WT4hljIzhzsUG7RyuqdzuuaxA335mAB/4qpC20uk5Peukti1rZRpT
tRPRPrzq4++Nay/Tdm0JZHvlnLJ8kFHu4UkpIUkmN7QaZkgymSq+CZFk unY=

;; Query time: 114 msec
;; SERVER: 162.140.64.100#53(162.140.64.100)
;; WHEN: Thu Oct 31 15:29:54 2013
;; MSG SIZE  rcvd: 2468


============================================================================

dig @ns1.gpo.gov gpo.gov mx +dnssec +norecurse +bufsize=2048

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @ns1.gpo.gov
gpo.govmx +dnssec +norecurse +bufsize=2048
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

dig @ns1.gpo.gov gpo.gov mx +dnssec +norecurse +bufsize=1280

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @ns1.gpo.gov
gpo.govmx +dnssec +norecurse +bufsize=1280
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


dig @ns1.gpo.gov gpo.gov mx +dnssec +norecurse +bufsize=1024

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @ns1.gpo.gov
gpo.govmx +dnssec +norecurse +bufsize=1024
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

==============================================================================

dig @ns1.gpo.gov gpo.gov mx +dnssec +norecurse +bufsize=512

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @ns1.gpo.gov
gpo.govmx +dnssec +norecurse +bufsize=512
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50071
;; flags: qr aa ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gpo.gov.                       IN      MX

;; ANSWER SECTION:
gpo.gov.                3600    IN      MX      10 hqsmtp01.gpo.gov.
gpo.gov.                3600    IN      MX      30 acfsmtp01.gpo.gov.
gpo.gov.                3600    IN      MX      20 hqsmtp02.gpo.gov.
gpo.gov.                3600    IN      RRSIG   MX 8 2 3600 20131106191056
20131030191056 31164 gpo.gov.
ZksyQ1oJjbToW/+BURUj1wTvStDUUEXhEqbbo2i0W+fJitY+FooTnU0Z
hs5HaS5y8/nvZyy0DHDxwX2RkfJFc9XsHWrf9NxGtjzNwYWrz1IdmV4n
lmp7uYQYvXVWukh4ZceGsvdFNpiUp18qTEFMRlv3EvEgROa7CWgt1rif FFU=
gpo.gov.                3600    IN      RRSIG   MX 8 2 3600 20131106211107
20131030211107 52704 gpo.gov.
LypsGT8FFAcNInpWpVrBuYWqAH6Hp6ae9SEIvbNd2P4bn33nV9k4UdAD
NvOLHlnI380OIyAbpcoHwVupwJERU97Kf4e+b5cOqq5i0imfJ526+9zV
XHpreaEE3GgN6PG9F8LffYvHGMBNK5KjEZr/tITXnHrPPdwJ22FXackw XoM=

;; Query time: 52 msec
;; SERVER: 162.140.64.100#53(162.140.64.100)
;; WHEN: Thu Oct 31 15:34:39 2013
;; MSG SIZE  rcvd: 432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131031/e6122536/attachment.html>

More information about the dns-operations mailing list