Re: DNSSEC

Wed, 05 May 2010 08:57:18 -0700 


On May 4, 2010, at 11:01 AM, Linux Addict wrote:
On Tue, May 4, 2010 at 10:43 AM, Stephane Bortzmeyer <bortzme...@nic.fr > wrote: 
On Tue, May 04, 2010 at 10:27:25AM -0400,
 Linux Addict <linuxaddi...@gmail.com> wrote
 a message of 89 lines which said:

> lacks EDNS, defaults to 512"
> DNS reply size limit is at least 490"
> "Tested at 2010-05-04 14:21:02 UTC"

You edited the responses (which includes an IP address). Is it the IP
address of your resolver? There is may be a forwarder which does not
have EDNS.

Second possibility, a middlebox mangles your packets and deletes EDNS
options.
Actually that IP was our external NAT. One information I neglected to mention is bind forwards to a tinydns appliance which of course does not support DNSSEC for obvious reasons.
So what are my options now? Will the internet work for me tomorrow? At least I have company in Google.. 

dig +short rs.dns-oarc.net txt @8.8.8.8
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"64.233.168.94 DNS reply size limit is at least 490"
"64.233.168.94 lacks EDNS, defaults to 512"
"Tested at 2010-05-04 15:00:07 UTC"
Actually, we do support EDNS0, but usually only advertise larger buffers if needed. 

For example,  if you retry this with +dnssec you should get:

wkum...@colon:/$ dig +dnssec  +short rs.dns-oarc.net txt @8.8.8.8
rst.x1247.rs.dns-oarc.net.
rst.x1257.x1247.rs.dns-oarc.net.
rst.x1228.x1257.x1247.rs.dns-oarc.net.
"74.125.44.94 DNS reply size limit is at least 1257"
"74.125.44.94 sent EDNS buffer size 1280"
"Tested at 2010-05-05 15:51:16 UTC"
wkum...@colon:/$


W





_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. 
-- Richard A Steenbergen



_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to