[dns-operations] For darpa.mil, EDNS buffer == 1232 is *too small*. :-(
Paul Vixie
paul at redbarn.org
Fri May 1 07:02:21 UTC 2020
they will have to be troubled. perhaps we can notify them first. that config is not sustainable.
Get BlueMail for Android
On 30 Apr 2020, 23:38, at 23:38, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>On Sun, Apr 19, 2020 at 12:39:24AM -0400, Viktor Dukhovni wrote:
>
>> The DANE survey unbound resolver is presently configured to advertise
>an
>> EDNS UDP buffer size of 1232 bytes (to avoid UDP fragmentation
>problems
>> over IPv6). With this buffer size (or indeed any buffer size below
>1346
>> bytes) and the DO bit set to solicit DNSSEC signatures, queries for
>the
>> darpa.mil MX host TLSA records fail:
>
>FWIW, with ofda.gov even 1410 is not enough, EDNS buffer sizes less
>than
>1555 (requiring working fragmentation) elicit a TC=1 response, but TCP
>is not available.
>
>Timeout:
>
>dig +bufsize=1554 +dnssec +norecur @$ip -t tlsa
>_25._tcp.dc4vasmtp01.ofda.gov
>
>Success:
>
>dig +bufsize=1555 +dnssec +norecur @$ip -t tlsa
>_25._tcp.dc4vasmtp01.ofda.gov
>
>--
> Viktor.
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200501/600558c6/attachment.html>
More information about the dns-operations
mailing list