On Thu, Apr 22, 2010 at 11:36 AM, Michael Sinatra < mich...@rancid.berkeley.edu> wrote:
> But it doesn't contain the RRSIGs for the DNSKEY. 'dig +norec +cdflag > dnskey uspto.gov @dns1.uspto.gov' does not contain RRSIGs so it is only > 1131 bytes. A non-EDNS0 query will receive the TC bit and will retry in > TCP. 'dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov' has a response > that includes the RRSIGs and is 1736 bytes, which on most ethernets will > cause UDP fragmentation. I get a timeout when using dig with +dnssec and > without +vc. However, 'dig +bufsize=1024 +dnssec +norec dnskey uspto.gov@ > dns1.uspto.gov' which sets an EDNS0 buffer size of 1024, does get a > response, after retrying in TCP mode. > > In other words, uspto.gov's DNS servers and network are able to send > responses longer than 512 bytes, but if the response is longer than 1500 > bytes, something in the network between those DNS servers and the rest of us > is blocking the UDP fragments. > > Actually, what seems interesting to me is that the cutoff seems to be at a payload size of 1736, which happens to be the exact size of the complete response. Is this just coincidence? $ dig +bufsize=1735 +dnssec @dns1.uspto.gov uspto.gov dnskey ;; Truncated, retrying in TCP mode. $ dig +bufsize=1736 +dnssec @dns1.uspto.gov uspto.gov dnskey ; <<>> DiG 9.6.1-P3 <<>> +bufsize=1736 +dnssec @dns1.uspto.gov uspto.govdnskey ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached Casey
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users