On 02/23/2011 04:54 PM, Warren Kumari wrote:
In PIX versions 6.3.2 and below you had to do: fixup protocol dns maximum-length 4096In later versions you need: policy-map type inspect dns preset_dns_map parameters message-length maximum 4096 or to increase the response size length: policy-map global_policy class inspection_default inspect dns maximum-length 4096 This is rumor and innuendo, I personally believe that: a: firewalls with ALGs are the devil b: this goes double for PIX / ASA and c: doubled again for putting them in front of servers, especially DNS servers.... W On Feb 23, 2011, at 1:13 PM, Ryan Novosielski wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A couple more gems: https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf (really anything at dnssec-deployment.org) There was another table that I found someplace and cannot find now that listed Cisco PIX and mentioned with a * the subtle difference between versions of that firewall firmware. I can't find that table anywhere -- was HTML, not in a PDF. On 02/23/2011 11:39 AM, Ryan Novosielski wrote:Take a look at this. It is somewhat confusing, but it is helpful and should tell you right away if you definitely have a firewall issue (and frankly there's little else it could be). https://www.dns-oarc.net/oarc/services/replysizetest On 02/23/2011 11:15 AM, Shaoquan Lin wrote:Thanks, Mark,Last June I asked our firewall person to make sure our firewall not blocking DNS packets over 512 bytes. He told me our firewall was not blocking. I guess that might be some default setting of the firewall and he does not really know. I did two digs here one with +dnssec and one without. I got the the following:1) with +dnssec : ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; connection timed out; no servers could be reached2) without +dnssec : ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4;; QUESTION SECTION: ;vwall4a.nyc.gov. IN A;; AUTHORITY SECTION: nyc.gov. 86400 IN NS vwall1a.nyc.gov. nyc.gov. 86400 IN NS vwall2a.nyc.gov. nyc.gov. 86400 IN NS vwall3a.nyc.gov. nyc.gov. 86400 IN NS vwall4a.nyc.gov.;; ADDITIONAL SECTION: vwall1a.nyc.gov. 86400 IN A 161.185.1.3 vwall2a.nyc.gov. 86400 IN A 161.185.1.12 vwall3a.nyc.gov. 86400 IN A 167.153.130.12 vwall4a.nyc.gov. 86400 IN A 167.153.130.13;; Query time: 31 msec ;; SERVER: 209.112.123.30#53(209.112.123.30) ;; WHEN: Wed Feb 23 11:12:48 2011 ;; MSG SIZE rcvd: 192Does this show we do have a firewall problem here?Shaoquan LinMark Andrews wrote:In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin" writes:Mark, Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like 9.3. I don't know if the problem is with the authoritative nameservers for gov or the nameservers for nyc.gov or with the BIND I am using. I noticed the following:Just fix your firewalls to allow EDNS responses through. While this is a bug in the authoritative servers / interpretation of RFC 1034, its only a issue because your firewall configuration is a decade out of date that it is a problem.1). a.gov-servers.net or b.gov-servers.net does provide A records in the additional records of their responses for other subdomain under gov like treas.gov, just not nyc.gov. So the problem seems with nameservers for nyc.gov. The problem is relatively new and there might be some recent changes on nyc.gov.The gov servers will return glue if you let bigger answers than 512 bytes through your firewall. ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;vwall4a.nyc.gov. IN A ;; AUTHORITY SECTION: nyc.gov. 86400 IN NS vwall1a.nyc.gov. nyc.gov. 86400 IN NS vwall2a.nyc.gov. nyc.gov. 86400 IN NS vwall3a.nyc.gov. nyc.gov. 86400 IN NS vwall4a.nyc.gov. rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 20110222210022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg== ;; ADDITIONAL SECTION: vwall1a.nyc.gov. 86400 IN A 161.185.1.3 vwall2a.nyc.gov. 86400 IN A 161.185.1.12 vwall3a.nyc.gov. 86400 IN A 167.153.130.12 vwall4a.nyc.gov. 86400 IN A 167.153.130.13 ;; Query time: 187 msec ;; SERVER: 209.112.123.30#53(209.112.123.30) ;; WHEN: Wed Feb 23 11:54:06 2011 ;; MSG SIZE rcvd: 5742) Older version of Binds (like 9.3) seems able to resolve vwall4a.nyc.gov as shown the packets I captured in my previous e-mail. What options in named.conf I can use to set "tc"? Thank you. Shaoquan Lin_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lTjMACgkQmb+gadEcsb5KSwCeJKU5Z7SXoRMJH53u1dGt8jj1 AF4AoKWOkg6gcc9Ng4kAmebcIHv+XAIF =deXw -----END PGP SIGNATURE----- <novosirj.vcf>_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
-- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
<<attachment: novosirj.vcf>>
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users