[dns-operations] Dealing with the bizarre - grantee.fema.gov
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Jul 9 00:21:26 UTC 2020
On Wed, Jul 08, 2020 at 05:07:43PM -0700, Brian Somers wrote:
> Interesting. I just see:
>
> # dig +cd +norecurse +tries=1 +bufsize=2000 +dnssec dnskey grantee.fema.gov @216.81.81.101
>
> ; <<>> DiG 9.16.4 <<>> +cd +norecurse +tries +bufsize +dnssec dnskey grantee.fema.gov @216.81.81.101
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> Never a response when I give it a big enough bufsize…
> I wonder what unbound is doing that dig isn’t.
>
> Of course our resolvers only ask for bufsize=1410, get a
> TC, ask over TCP and get a response with just the SOA,
> which isn’t even a valid denial :(
There is likely a network path between your machine and the
authoritative servers where IP fragments are dropped, and
reassembly of the full UDP datagram fails.
--
Viktor.
More information about the dns-operations
mailing list