To follow up on Peter's question what does it mean if one sees the "reply size limit is at least" with a value lower than the advertised EDNS buffer size?
This link talks about various scenarios but not that one so I'm not sure if this means Peter and I need to be concerned. I saw similar results as Peter so set my edns-udp-size to 3839 which was the lower "at least value I saw when it was advertising 4096. (I saw 3843 on the other test.) On doing that however, I now see the advertised value is 3839 but the "at least" value is 3828 on one and 3827 on the other as shown below. Based on that it appears one should NOT set the edns-udp-size as it doesn't fix the problem. The issue [r...@dswadns1 etc]# dig txt test.rs.ripe.net +short rst.x3828.rs.ripe.net. rst.x3793.x3828.rs.ripe.net. rst.x3799.x3793.x3828.rs.ripe.net. "12.44.84.213 sent EDNS buffer size 3839" "12.44.84.213 summary bs=3839,rs=3828,edns=1,do=1" "12.44.84.213 DNS reply size limit is at least 3828 bytes" [r...@dswadns1 etc]# dig +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x3797.x3827.rs.dns-oarc.net. rst.x3803.x3797.x3827.rs.dns-oarc.net. "Tested at 2010-05-03 19:35:55 UTC" "12.44.84.213 sent EDNS buffer size 3839" "12.44.84.213 DNS reply size limit is at least 3827" -----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Peter Laws Sent: Monday, May 03, 2010 1:16 PM To: bind-us...@isc.org Subject: Re: Preparing for upcoming DNSSEC changes on 5/5 On 01/-10/37 13:59, Kalman Feher wrote: > > Second, make sure the tested effective size appears in your named.conf in > the options statement "edns-udp-size" on your resolver. > > In your case: > edns-udp-size 3843; Mine are all saying "x.x.x.x sent EDNS buffer size 4096" when I run the dns-oarc.net test, which I assume is the default. I, too, get the 3843 "at least" value. Why would I set it to 3843? Wouldn't I want it to be set to 4096 even if *some* device between here and dns-oarc.net only allows that smaller value? I just woke up to this issue, sorry to say. Interestingly, it didn't come up (directly) during the Educause webinar about DNSSEC last week (.edu will be signed in July). -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu ----------------------------------------------------------------------- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
