<div dir="ltr"><div><div><div><div>Hello all,<br><br></div>I've encountered an issue resolving MX records from <a href="http://gpo.gov">gpo.gov</a>. It's unlike anything I've encountered before and I'm stumped. It took me a while to figure out why resolution of just that one record type for the zone was failing. But I was finally able to recreate it. (The queries below are from my home network since I have more access and it's easier to pull examples here than at work. But I reproduced the same thing at work.) Because we had encountered issues getting fragmented UDP responses from some authoritative servers for DNSSEC signed zones with an edns0 buffer of 4096 (presumably because they were blocking outbound udp fragments on their firewalls) we've reduced the advertised buffer size on our caches to 1280. When I query the authoritative nameservers for <a href="http://gpo.gov">gpo.gov</a> directly with a bufsize of 4096, I get a response. When I try an intermediate buffer size, the query times out. When I reduce it all the way to 512 bytes, I get a response again.<br>
<br></div>When I run the same queries (well, obviously without +norecurse) through an intermediate cache (my own personal one with a 4096 buffer size, the OVDR servers, etc.) I get a response for all specified buffer sizes. I don't have a similar problem querying any other authoritative nameserver for a signed zone that I can find. I'm stumped. And it's just MX record queries. SOA, DNSKEY, A, and NS responses all work just fine with different buffer sizes.<br>
<br></div>Anyone have any ideas?<br><br></div>Thanks,<br><br>Scott<br><br>==========================================================================<br><div><div><div><div><div><br>dig @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=4096<br>
<br>; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=4096<br>; (1 server found)<br>
;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6458<br>;; flags: qr aa ad; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 16<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>;<a href="http://gpo.gov">gpo.gov</a>. IN MX<br><br>;; ANSWER SECTION:<br><a href="http://gpo.gov">gpo.gov</a>. 3600 IN MX 10 <a href="http://hqsmtp01.gpo.gov">hqsmtp01.gpo.gov</a>.<br>
<a href="http://gpo.gov">gpo.gov</a>. 3600 IN MX 30 <a href="http://acfsmtp01.gpo.gov">acfsmtp01.gpo.gov</a>.<br><a href="http://gpo.gov">gpo.gov</a>. 3600 IN MX 20 <a href="http://hqsmtp02.gpo.gov">hqsmtp02.gpo.gov</a>.<br>
<a href="http://gpo.gov">gpo.gov</a>. 3600 IN RRSIG MX 8 2 3600 20131106191056 20131030191056 31164 <a href="http://gpo.gov">gpo.gov</a>. ZksyQ1oJjbToW/+BURUj1wTvStDUUEXhEqbbo2i0W+fJitY+FooTnU0Z hs5HaS5y8/nvZyy0DHDxwX2RkfJFc9XsHWrf9NxGtjzNwYWrz1IdmV4n lmp7uYQYvXVWukh4ZceGsvdFNpiUp18qTEFMRlv3EvEgROa7CWgt1rif FFU=<br>
<a href="http://gpo.gov">gpo.gov</a>. 3600 IN RRSIG MX 8 2 3600 20131106211107 20131030211107 52704 <a href="http://gpo.gov">gpo.gov</a>. LypsGT8FFAcNInpWpVrBuYWqAH6Hp6ae9SEIvbNd2P4bn33nV9k4UdAD NvOLHlnI380OIyAbpcoHwVupwJERU97Kf4e+b5cOqq5i0imfJ526+9zV XHpreaEE3GgN6PG9F8LffYvHGMBNK5KjEZr/tITXnHrPPdwJ22FXackw XoM=<br>
<br>;; AUTHORITY SECTION:<br><a href="http://gpo.gov">gpo.gov</a>. 28800 IN NS <a href="http://ns2.gpo.gov">ns2.gpo.gov</a>.<br><a href="http://gpo.gov">gpo.gov</a>. 28800 IN NS <a href="http://ns1.gpo.gov">ns1.gpo.gov</a>.<br>
<a href="http://gpo.gov">gpo.gov</a>. 28800 IN RRSIG NS 8 2 28800 20131106200633 20131030200633 31164 <a href="http://gpo.gov">gpo.gov</a>. MzZVRvDEWaE5NA73TxRkWhDHqUKCQOCNc/MSTw3BPyLbHool4RDBUVxn 16ulk8ZM0wWhVfdSS8ic6aguF0MDNRSca+RaOmCd4LJf9UtPCAAH78Ex 2kGEa2POmEu1IsCI0Nyz4oEuJJ5/zsDVa+qF3ng/qP21jbEzW0EwCk0x RIk=<br>
<a href="http://gpo.gov">gpo.gov</a>. 28800 IN RRSIG NS 8 2 28800 20131106205153 20131030205153 52704 <a href="http://gpo.gov">gpo.gov</a>. vrSbhbK9lNVSM+z+ErJFXckKCZQocoXT+kNFBsA9XzWcD0rlXZKhyUW/ IqlqcqSLVIDAZvEjCJOueoSg9LwIVslRXjtD0oDx7doiksQzsdlbCI29 GTjyZBUNPCF5awQ71ACFr+VYGweJ1+QMazTBeuYnJXmjk031/KY0Qlzy tvM=<br>
<br>;; ADDITIONAL SECTION:<br><a href="http://acfsmtp01.gpo.gov">acfsmtp01.gpo.gov</a>. 28800 IN A 162.140.252.175<br><a href="http://acfsmtp01.gpo.gov">acfsmtp01.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131107200340 20131031200340 31164 <a href="http://gpo.gov">gpo.gov</a>. EKWNOkSTBJc2WzddWLYtTP50sD8dHwQm4ikB9sDLfkp52bEC1rcAfwFf TdTUlHt6bcKaBuWX3MRGanL9tCpmJxYMEl02JTlLwoqId8Jay7TeNAZK HAF7D9c1MRMgVwZY7QAqgvmhdI0t2cnpL6WcJ2goIfQcSuSsmK8afL+p U5o=<br>
<a href="http://acfsmtp01.gpo.gov">acfsmtp01.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131106185143 20131030185143 52704 <a href="http://gpo.gov">gpo.gov</a>. es1WvENsCcUTjIwlp3ZFkEthXXsWROpG6XU0eWuHj4mRD54uMRBXTS/v yyNgwF0QUie/47ZudgGeWiSYK7aCJGO5p1Xo6tZAotdGCOCKCTfsI5bb ponLHOjk9rqV0SG2a7weyXicYq4xZwrX9acbeu72HZLZK+AeWhyaJ6/z Hyo=<br>
<a href="http://hqsmtp02.gpo.gov">hqsmtp02.gpo.gov</a>. 28800 IN A 162.140.64.7<br><a href="http://hqsmtp02.gpo.gov">hqsmtp02.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131107123314 20131031123314 31164 <a href="http://gpo.gov">gpo.gov</a>. jVmMwDwYo8x8jBIqyjsmtW0jEOV3QcNP044YYMvvBBZTVyIwAqjUL+Uz S7ak1aPm8ayc+uJSPN61cy2Y4vIKSzhU0QULv2H8Zb4cyIN23vhkuNzd hcVCpN/wgcLgbieTVifd2lGA7udcvMx+srs18b9iewBfEB2AlLS7wJB9 St8=<br>
<a href="http://hqsmtp02.gpo.gov">hqsmtp02.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131107153751 20131031153751 52704 <a href="http://gpo.gov">gpo.gov</a>. pP49evlU9CiIS5Y3IQJ34OI3kN52mOmCzE00b9FvcBQvjZLcg5YuBR+M Qm7SemuLy55/aNKDjx24hk2ClRG5lxj35SQKGa8pa5oMvou3dxDY4+Lx sfyZZ/cgmWK4fIeMsL0b3gxNSHOOsnB9XR3aPsJvfFX8TD8Jp1mkXGyj McQ=<br>
<a href="http://hqsmtp01.gpo.gov">hqsmtp01.gpo.gov</a>. 28800 IN A 162.140.64.8<br><a href="http://hqsmtp01.gpo.gov">hqsmtp01.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131107163748 20131031163748 31164 <a href="http://gpo.gov">gpo.gov</a>. OUO3Fk1XpvTyIqDR1WiFn3nXwGrAnTUAD3uI53gsoKO7bdOX69Nhp0Ar R3LjjBxkG4o5OKpLRDfqBnGS0YwWAFUNHNMz/gAcBOn98RjLFWfe7LXn An5DiROxh7/M4jgT/XBdeMARHGGcAHy25aRa8M1+pxK9tnOhzet7edYQ f5A=<br>
<a href="http://hqsmtp01.gpo.gov">hqsmtp01.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131107194035 20131031194035 52704 <a href="http://gpo.gov">gpo.gov</a>. sqWMFslhQGJHUYuuNpC4sA7gbXPZ0+rI1Iw5QFG3snBso+9UfywVCsNC a4Eqy5h2fsIoMLRjtRRcTt2/p7qK6sfjPzhFxnV/QYpUnpKB5jyR2GxW D25VJ76uOFjTafALZuinEn/uyUbN3e5IuGbYvgPqBuLbvPthQ5fOfn7m BU0=<br>
<a href="http://ns2.gpo.gov">ns2.gpo.gov</a>. 28800 IN A 162.140.252.180<br><a href="http://ns2.gpo.gov">ns2.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131106175946 20131030175946 31164 <a href="http://gpo.gov">gpo.gov</a>. CQwsTtIcUF8fv3dfjo2k8Y0dT1K5uvEOKNjDifK9zHJVDhNoy1tCMB7/ wdiGRY7c8XsFxy9A6MjgowBdSu5RV7l6TuiOezX/nOLC1XlwPp/zyUoL 44kQh47ewLdNHOz+QUC5AmRlOu1GwUWnmov26qQ/eU6wONABDx2dhrBs 0U4=<br>
<a href="http://ns2.gpo.gov">ns2.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131106211705 20131030211705 52704 <a href="http://gpo.gov">gpo.gov</a>. gSg10L9Fg71yucsHDX1Owu9WgwxdqJZz+g3uWPYypzBSWOrJYrkJdL++ PbZZz+o2MAR2TCOO6n43+vq5bcel/2p254kqKLZ9FmKrht3O7fn17Tqr JVFVBmH9jqNgn5boy5iF/Jam+6WLRnL1ji8VANmAt1xSqdtXZ2mm5Wyf aCM=<br>
<a href="http://ns1.gpo.gov">ns1.gpo.gov</a>. 28800 IN A 162.140.64.100<br><a href="http://ns1.gpo.gov">ns1.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131106190716 20131030190716 31164 <a href="http://gpo.gov">gpo.gov</a>. bTBhsjnCfKYangIwL/Pk77ZvwsoH/Y0hYdnJsQFYE8wOBztIRKAHFDjr lvnBOquWbgl6qrNqEzWlt5rkHlrBQHduwpwn560gy/zKed8Z0QcycCB9 cK6rl2qRkolikqzbaTs/CHDdtA/WmH8b1basRinazKDVsuOzgs1kO/K9 Bs4=<br>
<a href="http://ns1.gpo.gov">ns1.gpo.gov</a>. 28800 IN RRSIG A 8 3 28800 20131106204627 20131030204627 52704 <a href="http://gpo.gov">gpo.gov</a>. EXpqFW741L1EguseTqzWNaFaNMw1yNLNoNUcBSy+9Ay+V/1C37GA4f8C pl9WT4hljIzhzsUG7RyuqdzuuaxA335mAB/4qpC20uk5Peukti1rZRpT tRPRPrzq4++Nay/Tdm0JZHvlnLJ8kFHu4UkpIUkmN7QaZkgymSq+CZFk unY=<br>
<br>;; Query time: 114 msec<br>;; SERVER: 162.140.64.100#53(162.140.64.100)<br>;; WHEN: Thu Oct 31 15:29:54 2013<br>;; MSG SIZE rcvd: 2468<br><br><br>============================================================================<br>
<br>dig @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=2048<br><br>; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=2048<br>
; (1 server found)<br>;; global options: +cmd<br>;; connection timed out; no servers could be reached<br><br>dig @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=1280<br>
<br>; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=1280<br>; (1 server found)<br>
;; global options: +cmd<br>;; connection timed out; no servers could be reached<br><br><br>dig @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=1024<br><br>
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=1024<br>; (1 server found)<br>
;; global options: +cmd<br>;; connection timed out; no servers could be reached<br><br>==============================================================================<br><br>dig @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=512<br>
<br>; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @<a href="http://ns1.gpo.gov">ns1.gpo.gov</a> <a href="http://gpo.gov">gpo.gov</a> mx +dnssec +norecurse +bufsize=512<br>; (1 server found)<br>
;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50071<br>;; flags: qr aa ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>;<a href="http://gpo.gov">gpo.gov</a>. IN MX<br><br>;; ANSWER SECTION:<br><a href="http://gpo.gov">gpo.gov</a>. 3600 IN MX 10 <a href="http://hqsmtp01.gpo.gov">hqsmtp01.gpo.gov</a>.<br>
<a href="http://gpo.gov">gpo.gov</a>. 3600 IN MX 30 <a href="http://acfsmtp01.gpo.gov">acfsmtp01.gpo.gov</a>.<br><a href="http://gpo.gov">gpo.gov</a>. 3600 IN MX 20 <a href="http://hqsmtp02.gpo.gov">hqsmtp02.gpo.gov</a>.<br>
<a href="http://gpo.gov">gpo.gov</a>. 3600 IN RRSIG MX 8 2 3600 20131106191056 20131030191056 31164 <a href="http://gpo.gov">gpo.gov</a>. ZksyQ1oJjbToW/+BURUj1wTvStDUUEXhEqbbo2i0W+fJitY+FooTnU0Z hs5HaS5y8/nvZyy0DHDxwX2RkfJFc9XsHWrf9NxGtjzNwYWrz1IdmV4n lmp7uYQYvXVWukh4ZceGsvdFNpiUp18qTEFMRlv3EvEgROa7CWgt1rif FFU=<br>
<a href="http://gpo.gov">gpo.gov</a>. 3600 IN RRSIG MX 8 2 3600 20131106211107 20131030211107 52704 <a href="http://gpo.gov">gpo.gov</a>. LypsGT8FFAcNInpWpVrBuYWqAH6Hp6ae9SEIvbNd2P4bn33nV9k4UdAD NvOLHlnI380OIyAbpcoHwVupwJERU97Kf4e+b5cOqq5i0imfJ526+9zV XHpreaEE3GgN6PG9F8LffYvHGMBNK5KjEZr/tITXnHrPPdwJ22FXackw XoM=<br>
<br>;; Query time: 52 msec<br>;; SERVER: 162.140.64.100#53(162.140.64.100)<br>;; WHEN: Thu Oct 31 15:34:39 2013<br>;; MSG SIZE rcvd: 432<br><br><br><br></div></div></div></div></div></div>