Re: Bind, dnssec, udp fragmentation woes.

Thu, 01 Oct 2009 20:23:11 -0700 

You really want to work out what is being blocked, EDNS?, responses
bigger that 512 bytes? DNSSEC? fragmented responses?  With a clean
path all of these should succeed but only the last one won't have
"tc" set.  This does a plain DNS query, a EDNS query that limits
the response to 512 bytes, a DNSSEC query that limits the response
to 512 bytes, a DNSSEC query that limits the response to something
that would not normally be fragmented but exceeds 512 bytes, a
DNSSEC query that will normally be fragmented.

% dig soa se @192.36.133.107 +norec +ignore 
% dig soa se @192.36.133.107 +norec +ignore +bufsize=512
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 +dnssec
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec

Named does the following by default.  Ensure you have a up to date
version of namesd

dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec
dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec
dig dnskey se @192.36.133.107 +norec +ignore

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to