[dns-operations] Dealing with the bizarre - grantee.fema.gov

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jul 9 00:21:26 UTC 2020


On Wed, Jul 08, 2020 at 05:07:43PM -0700, Brian Somers wrote:

> Interesting.  I just see:
> 
>     # dig +cd +norecurse +tries=1 +bufsize=2000 +dnssec dnskey grantee.fema.gov @216.81.81.101
> 
>     ; <<>> DiG 9.16.4 <<>> +cd +norecurse +tries +bufsize +dnssec dnskey grantee.fema.gov @216.81.81.101
>     ;; global options: +cmd
>     ;; connection timed out; no servers could be reached
> 
> Never a response when I give it a big enough bufsize…
> I wonder what unbound is doing that dig isn’t.
> 
> Of course our resolvers only ask for bufsize=1410, get a
> TC, ask over TCP and get a response with just the SOA,
> which isn’t even a valid denial :(

There is likely a network path between your machine and the
authoritative servers where IP fragments are dropped, and
reassembly of the full UDP datagram fails.

-- 
    Viktor.


More information about the dns-operations mailing list