Thanks, Mark,
Last June I asked our firewall person to make sure our firewall not
blocking DNS packets over 512 bytes. He told me our firewall was not
blocking. I guess that might be some default setting of the firewall
and he does not really know. I did two digs here one with +dnssec and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Take a look at this. It is somewhat confusing, but it is helpful and
should tell you right away if you definitely have a firewall issue (and
frankly there's little else it could be).
https://www.dns-oarc.net/oarc/services/replysizetest
On 02/23/2011
...@christophercain.ca
-- Forwarded message --
From: Ryan Novosielski novos...@umdnj.edu
To: bind-users@lists.isc.org
Date: Wed, 23 Feb 2011 11:39:41 -0500
Subject: Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Take a look
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A couple more gems:
https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
(really anything at dnssec-deployment.org)
There was another table that I found someplace and cannot find now that
listed Cisco PIX and mentioned
In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-length 4096
In later versions you need:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
or to increase the response size length:
policy-map global_policy
class inspection_default
There was also a message-length client auto or something like that too
for some versions of some Cisco HW, but if memory serves, the version
that introduced it is broken. :)
On 02/23/2011 04:54 PM, Warren Kumari wrote:
In PIX versions 6.3.2 and below you had to do:
fixup protocol dns
tc?
Thank you.
Shaoquan Lin
- Original Message -
From: Mark Andrews ma...@isc.org
To: Shaoquan Lin l...@ccny.cuny.edu
Cc: bind-us...@isc.org
Sent: Saturday, February 19, 2011 6:08 AM
Subject: Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
In message
In message 0539E64AD2B54AD2804C2394F923800B@se179, Shaoquan Lin writes:
Mark,
Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I
can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older
In message 17894D6D30484DDFBBE95BEF987FF5D1@se179, Shaoquan Lin writes:
Ryan,
Have you solved your problem? I have similar problems. I run BIND =
9.6..1-P3 on my Solaris 10 and can not resolve anything in domain =
nyc.gov. One thing I noticed is: BIND 9.3 send query to =
Ryan,
Have you solved your problem? I have similar problems. I run BIND 9.6..1-P3 on
my Solaris 10 and can not resolve anything in domain nyc.gov. One thing I
noticed is: BIND 9.3 send query to b.gov-servers.net with no Additional
records and got a response with A records for the nyc.gov
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/11/2011 01:21 PM, Ryan Novosielski wrote:
On 02/10/2011 04:19 PM, Chuck Swiger wrote:
On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
health.nyc.gov query-errors:
10-Feb-2011 15:32:30.682 query-errors: debug 1: client
max-udp-size controls what you send.
MAX(512, MIN(max-udp-size, client's UDP size))
edns-udp-size controls what you advertise you can receive.
MAX(512, MIN(edns-udp-size, server's UDP size))
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2
12 matches
Mail list logo
