[dns-operations] For darpa.mil, EDNS buffer == 1232 is *too small*. :-(

Viktor Dukhovni ietf-dane at dukhovni.org
Fri May 1 06:21:32 UTC 2020


On Sun, Apr 19, 2020 at 12:39:24AM -0400, Viktor Dukhovni wrote:

> The DANE survey unbound resolver is presently configured to advertise an
> EDNS UDP buffer size of 1232 bytes (to avoid UDP fragmentation problems
> over IPv6).  With this buffer size (or indeed any buffer size below 1346
> bytes) and the DO bit set to solicit DNSSEC signatures, queries for the
> darpa.mil MX host TLSA records fail:

FWIW, with ofda.gov even 1410 is not enough, EDNS buffer sizes less than
1555 (requiring working fragmentation) elicit a TC=1 response, but TCP
is not available.

Timeout:

    dig +bufsize=1554 +dnssec +norecur @$ip -t tlsa _25._tcp.dc4vasmtp01.ofda.gov

Success:

    dig +bufsize=1555 +dnssec +norecur @$ip -t tlsa _25._tcp.dc4vasmtp01.ofda.gov

--
    Viktor.



More information about the dns-operations mailing list