[Dnsmasq-discuss] Large AXFR through dnsmasq causes dig to hang with partial results
Hi everyone, I've had a strange issue I've been trying to resolve over the past few days where dnsmasq seems to only be allowing part of a zone transfer through, causing dig to hang. I opened a Stackoverflow post to track it with most of the information I've found. https://serverfault.com/questions/933956/large-axfr-through-dnsmasq-causes-dig-to-hang-with-partial-results With a tcpdump comparing a request with dnsmasq acting as forwarder and without, I can see in both cases that the upstream bind server replies with two packets, 2521 bytes and 189 bytes. When digging dnsmasq, the first packet is read out correctly and dig sits and waits for the second packet, which for some reason it never seems to receive. When digging bind directly, dig receives both packets and reads out the answer correctly. I'm guessing I'm hitting a packet size limit causing it to split the response, but why does dig not receive the second packet from dnsmasq? Kind regards, Connor Bell ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] multiple soa
Second soa in one zone cannot be added. One zone has one soa. Can you please share relevant configuration parts? On 10/09/2018 11:46 AM, Алексей Кузнецов wrote: > Hello, i set zone with soa record and its work fine. I want add second soa > zone but dnsmasq say dublicate options in config. How to add second soa? > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Large AXFR through dnsmasq causes dig to hang with partial results
On 10/10/18 11:02, Connor Bell wrote: > Hi everyone, > > > > I’ve had a strange issue I’ve been trying to resolve over the past few > days where dnsmasq seems to only be allowing part of a zone transfer > through, causing dig to hang. > > > > I opened a Stackoverflow post to track it with most of the information > I’ve found. > > https://serverfault.com/questions/933956/large-axfr-through-dnsmasq-causes-dig-to-hang-with-partial-results > > > > > With a tcpdump comparing a request with dnsmasq acting as forwarder and > without, I can see in both cases that the upstream bind server replies > with two packets, 2521 bytes and 189 bytes. When digging dnsmasq, the > first packet is read out correctly and dig sits and waits for the second > packet, which for some reason it never seems to receive. > > A single packet of 2521 bytes doesn't seem to correspond with the transfer hanging after 700 lines - it's pretty difficult to get 700 lines of output from one 2500 bytes packet, I think. I suspect that what's happening is that the zone transfer exceeds 65536 bytes, which is the limit for a single mesage over TCP. AXFR have special-case continuation methods to push the transfer into multiple messages. (if the message doesn't end with a repeat of the SOA record at the start of the transfer, then expect further messages) Dnsmasq, forwarding replies in TCP mode, was never really designed with AXFR in mind, and doesn't implement this function. Does it really make sense to do AXFR through dnsmasq: surely you'd talk directly to the authoritative sever for the domain of interest? Cheers, Simon. > When digging bind directly, dig receives both packets and reads out the > answer correctly. I’m guessing I’m hitting a packet size limit causing > it to split the response, but why does dig not receive the second packet > from dnsmasq? > > > > Kind regards, > > Connor Bell > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Release of V2.80
On 10/10/18 03:35, Donald Muller wrote: > Hi Simon, > > I believe that a while ago you mentioned that you were going to be > releasing 2.80 soon. Do you have a target date yet? > The trite answer to this is always "when it's ready". There have been two or thee issues over the last week or two that came up, and needed to be fixed before 2.80. I think they are all done now, so I intend to make the first release candidate in the next day or two, unless someone finds another show-stopper! Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] IETF RFC 5011 "Automated Updates of DNS Security (DNSSEC) Trust Anchors" supported?
Hi, the old root-KSK will be deleted today at 16:00 UTC and the TTLs will run out not later than 48 hours. Does Dnsmasq support IETF RFC 5011 or are there any plans to implement IETF RFC 5011? Regards, Renne ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss