Hi Folks, Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? Here's what I'm seeing: No edns-udp-size setting. tcpdump -n -s 0 -vv -i eth1 host 209.112.123.30 or host 69.36.157.30 nslookup www.nsf.gov 127.0.0.1 11:42:36.574916 IP (tos 0x0, ttl 64, id 21833, offset 0, flags [none], proto UDP (17), length 68) 71.246.241.146.10399 > 69.36.157.30.53: [udp sum ok] 56983 [1au] A? www.nsf.gov. ar: . OPT UDPsize=4096 OK (40) 11:42:36.659636 IP (tos 0x0, ttl 249, id 54334, offset 0, flags [none], proto UDP (17), length 598) 69.36.157.30.53 > 71.246.241.146.10399: [udp sum ok] 56983- q: A? www.nsf.gov. 0/7/5 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: swirl.nsf.gov. A 198.181.231.15, whirl.nsf.gov. A 198.181.231.16, cyclone.nsf.gov. A 204.14.134.227, twister.nsf.gov. A 198.181.231.17, . OPT UDPsize=1472 (570) edns-udp-size 512 tcpdump -n -s 0 -vv -i eth1 host 209.112.123.30 or host 69.36.157.30 nslookup www.nsf.gov 127.0.0.1 11:53:01.604105 IP (tos 0x0, ttl 64, id 21834, offset 0, flags [none], proto UDP (17), length 68) 71.246.241.146.58103 > 69.36.157.30.53: [udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=512 OK (40) 11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags [none], proto UDP (17), length 534) 69.36.157.30.53 > 71.246.241.146.58103: [udp sum ok] 10320- q: A? www.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (506) 11:53:01.695000 IP (tos 0x0, ttl 64, id 20662, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.23911 > 209.112.123.30.53: [udp sum ok] 18982% [1au] A? whirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.695489 IP (tos 0x0, ttl 64, id 20663, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.63892 > 209.112.123.30.53: [udp sum ok] 3675% [1au] AAAA? whirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.695931 IP (tos 0x0, ttl 64, id 20664, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.37019 > 209.112.123.30.53: [udp sum ok] 36777% [1au] A? swirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.696274 IP (tos 0x0, ttl 64, id 20665, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.15021 > 209.112.123.30.53: [udp sum ok] 13755% [1au] AAAA? swirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.696653 IP (tos 0x0, ttl 64, id 20666, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.38082 > 209.112.123.30.53: [udp sum ok] 14449% [1au] A? cyclone.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.697045 IP (tos 0x0, ttl 64, id 20667, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.28219 > 209.112.123.30.53: [udp sum ok] 38858% [1au] AAAA? cyclone.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.699294 IP (tos 0x0, ttl 64, id 20668, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.50745 > 209.112.123.30.53: [udp sum ok] 53248% [1au] A? twister.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.700257 IP (tos 0x0, ttl 64, id 20669, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.21482 > 209.112.123.30.53: [udp sum ok] 56185% [1au] AAAA? twister.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.780833 IP (tos 0x0, ttl 251, id 9453, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 > 71.246.241.146.23911: [udp sum ok] 18982- q: A? whirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.781284 IP (tos 0x0, ttl 251, id 24142, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 > 71.246.241.146.63892: [udp sum ok] 3675- q: AAAA? whirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.781999 IP (tos 0x0, ttl 251, id 9454, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 > 71.246.241.146.37019: [udp sum ok] 36777- q: A? swirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.782136 IP (tos 0x0, ttl 251, id 24143, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 > 71.246.241.146.15021: [udp sum ok] 13755- q: AAAA? swirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.782552 IP (tos 0x0, ttl 251, id 9455, offset 0, flags [none], proto UDP (17), length 538) 209.112.123.30.53 > 71.246.241.146.38082: [udp sum ok] 14449- q: A? cyclone.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510) 11:53:01.782937 IP (tos 0x0, ttl 251, id 24144, offset 0, flags [none], proto UDP (17), length 538) 209.112.123.30.53 > 71.246.241.146.28219: [udp sum ok] 38858- q: AAAA? cyclone.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510) 11:53:01.785168 IP (tos 0x0, ttl 251, id 9456, offset 0, flags [none], proto UDP (17), length 538) 209.112.123.30.53 > 71.246.241.146.50745: [udp sum ok] 53248- q: A? twister.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510) 11:53:01.786251 IP (tos 0x0, ttl 251, id 24145, offset 0, flags [none], proto UDP (17), length 538) 209.112.123.30.53 > 71.246.241.146.21482: [udp sum ok] 56185- q: AAAA? twister.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510) So with edns-udp-size set to 512 it looks like the .gov servers (a.gov-servers.net, b.gov-servers.net) refuse to ever return the necessary glue for the nsf.gov DNS servers. Am I reading this right? Thanks, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
* William Herrin:
Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature. This has been noted before, for example: From: Mark Andrews <marka@isc.org> Subject: [dnsext] Failure to add glue MUST cause TC to be set. To: dnsext@ietf.org Date: Sun, 20 Feb 2011 08:07:15 +1100 Message-Id: <20110219210716.72943A5602B@drugs.dv.isc.org>
On Mon, May 2, 2011 at 1:13 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* William Herrin:
Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature.
Hi Florian, I have "dnssec-enable no;" in my bind config. Were you able to determine from the tcpdump output that DNSSEC was being requested? How? Thanks, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
* William Herrin:
On Mon, May 2, 2011 at 1:13 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* William Herrin:
Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature.
I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
Were you able to determine from the tcpdump output that DNSSEC was being requested?
[udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=512 OK (40) 11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags "OK" means that DO=1 was set.
On Mon, May 2, 2011 at 1:31 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* William Herrin:
On Mon, May 2, 2011 at 1:13 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* William Herrin:
Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature.
I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
Hmm. You're right. Bind won't disable DNSSEC unless you turn edns off completely with: server 0.0.0.0/0 { edns no; }; Thanks for the info! Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Florian Weimer <fw@deneb.enyo.de> wrote:
I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
BIND's interpretation of the DO bit is "I understand DNSSEC RRs so it is OK to send them" not "I would like you to send DNSSEC RRs". This is why it always sets the DO bit when it can, i.e. when the request contains an EDNS OPT pseudo-RR. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor.
* Tony Finch:
Florian Weimer <fw@deneb.enyo.de> wrote:
I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
BIND's interpretation of the DO bit is "I understand DNSSEC RRs so it is OK to send them" not "I would like you to send DNSSEC RRs". This is why it always sets the DO bit when it can, i.e. when the request contains an EDNS OPT pseudo-RR.
I would go even further---the DO bit is not about DNSSEC at all. The resolver just promises to ignore any ancillary record sets it does not understand. If DO were about DNSSEC, a new flag would have been introduced along with DNSSECbis, where the record types changed so that for resolvers implementing the older protocol, the DNSSECbis records just looked like garbage.
On May 2, 2011, at 10:19 PM, Florian Weimer wrote:
I would go even further---the DO bit is not about DNSSEC at all.
Err, yes it is.
The resolver just promises to ignore any ancillary record sets it does not understand.
How people implement RFC 3225 does differ from the intent of the author, however I would be surprised if this is what DO is taken to mean in any resolver.
If DO were about DNSSEC, a new flag would have been introduced along with DNSSECbis, where the record types changed so that for resolvers implementing the older protocol, the DNSSECbis records just looked like garbage.
You're suggesting RFC 3225 should have predicted DNSSECbis? Would it help if the interpretation of DO is that indicates the resolver supports "DNSSEC as defined at the time"? This probably isn't the right venue for this discussion. Regards, -drc
On Tue, May 3, 2011 at 10:23 AM, David Conrad <drc@virtualized.org> wrote:
This probably isn't the right venue for this discussion.
Hi David, I'm going to go with Mark's answer: "nameservers that don't set TC [truncated bit] when they can't fit glue are broken RFC 1034." When that happens to be both TLD servers for a particular TLD (.gov), I'm calling that an operational issue. I have a workaround. I'm happy. But the folks running gov-servers.net *really* ought to have a discussion with their vendor. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On May 3, 2011, at 7:54 AM, William Herrin wrote:
On Tue, May 3, 2011 at 10:23 AM, David Conrad <drc@virtualized.org> wrote:
This probably isn't the right venue for this discussion.
Hi David,
I'm going to go with Mark's answer: "nameservers that don't set TC [truncated bit] when they can't fit glue are broken RFC 1034." When that happens to be both TLD servers for a particular TLD (.gov), I'm calling that an operational issue.
I have a workaround. I'm happy. But the folks running gov-servers.net *really* ought to have a discussion with their vendor.
I'm pleased to report that the fix for this problem was finally deployed, as of yesterday. You should now find TC=1 in responses from the .gov name servers when the glue won't fit: $ dig +dnssec +bufsize=512 @a.gov-servers.net www.nsf.gov a ;; Truncated, retrying in TCP mode. .... Duane W.
* David Conrad:
On May 2, 2011, at 10:19 PM, Florian Weimer wrote:
I would go even further---the DO bit is not about DNSSEC at all.
Err, yes it is.
I know you think it is, but you're wrong if you look at the overall protocol.
If DO were about DNSSEC, a new flag would have been introduced along with DNSSECbis, where the record types changed so that for resolvers implementing the older protocol, the DNSSECbis records just looked like garbage.
You're suggesting RFC 3225 should have predicted DNSSECbis?
Not quite. If DO was about DNSSEC in the strictest possible sense, then it would not have been possible to reuse the flag for DNSSECbis, which hasn't got anything in common with DNSSEC as far as the wire types are concerned. For a original-DNSSEC-supporting resolver, they look like garbage, just as the original DNSSEC records for some of the resolvers back then. So if DO referred to a specific set of record types (the original DNSSEC ones), you'd need a new flag for DNSSECbis. But this wasn't done, so DO does not cover a specific set of record types, and it is therefore not tied to a particular DNS protocol extension, including DNSSEC.
At 18:53 +0200 5/3/11, Florian Weimer wrote:
* David Conrad:
On May 2, 2011, at 10:19 PM, Florian Weimer wrote:
I would go even further---the DO bit is not about DNSSEC at all.
Err, yes it is.
I know you think it is, but you're wrong if you look at the overall protocol.
This is becoming a thread-to-the-death over a general weakness in the DNS protocol. (Realizing this mailing list is NANOG, not an IETF one.) Like it or not, "versioning" and "negotiation" are poor-to-non-existent in DNS. What's happening here is a document author (David) meant one thing and implementations (e.g., BIND) interpreting the document another way. It doesn't matter that David is right (in that he meant it another way, and the way is what the WG meant), it more matters that the ship has sailed on "fixing" this in implementations. And frankly, the fix isn't that important in retrospect because what the implementers did is actually ok, we can and we do live nicely with it. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Me to infant son: "Waah! Waah! Is that all you can say? Waah?" Son: "Waah!"
In message <878vupuiu0.fsf@mid.deneb.enyo.de>, Florian Weimer writes:
* William Herrin:
Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature.
This has been noted before, for example:
From: Mark Andrews <marka@isc.org> Subject: [dnsext] Failure to add glue MUST cause TC to be set. To: dnsext@ietf.org Date: Sun, 20 Feb 2011 08:07:15 +1100 Message-Id: <20110219210716.72943A5602B@drugs.dv.isc.org>
And nameservers that don't set TC when they can't fit glue are broken RFC 1034. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
* Mark Andrews:
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature.
This has been noted before, for example:
From: Mark Andrews <marka@isc.org> Subject: [dnsext] Failure to add glue MUST cause TC to be set. To: dnsext@ietf.org Date: Sun, 20 Feb 2011 08:07:15 +1100 Message-Id: <20110219210716.72943A5602B@drugs.dv.isc.org>
And nameservers that don't set TC when they can't fit glue are broken RFC 1034.
Only if they produce such answers in response to compliant queries. 8-)
participants (7)
-
David Conrad
-
Edward Lewis
-
Florian Weimer
-
Mark Andrews
-
Tony Finch
-
Wessels, Duane
-
William Herrin