Maintained by: NLnet Labs

[Unbound-users] problems resolving www.iana.org / ianawww.vip.icann.org

W.C.A. Wijngaards
Mon Jun 20 15:52:22 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Leen, Daisuke,

On 06/18/2011 04:56 PM, Daisuke HIGASHI wrote:
> Leen Besselink wrote:
> 
>> Is it just me or is Unbound 1.4.7 not able to resolve www.iana.org /
> ianawww.vip.icann.org right now ?

The reponses for this query, the DNSKEY and the A responses are over 3
Kb.  You likely have path MTU trouble.  Something is wrong with your
fragments.  Perhaps you own firewall is set to stop UDP fragments?

There is the OARC reply size tester to help with that.

The error you see in your logs (I saw your attachments earlier, Leen),
are that the system returns very short (0 byte?) UDP datagrams to
unbound.  Likely because of the UDP fragmentation issues, or less likely
because of a server-error at icann.org nameservers.

> Unbound with DNSSEC validation not able to resolve www.iana.org.
> BIND9 manages to do it but takes long time because of many timeouts.

All the time is because of the PMTU trouble.  For the server it seems as
if the packet has disappeared, and after a while, BIND and unbound
attempt to use smaller packets.  Where BIND does EDNS at 512 (and thus TCP
and it works), Unbound does not implement EDNS at 512 (it is against
standard and people oppose it) and thus turns off EDNS altogether, gets
the response but without DNSSEC information, and thus returns SERVFAIL
because it fails validation.

> It seems that all NS in vip.icann.org returns broken response for
> DNSKEY query with UDP. BIND9 retries query with TCP and gets complete
> DNSKEY but Unbound does not.

Yes, because of the different probe.

> Despite vip.icann.org NS are broken, is Unbound behavior correct?
> 
> ------------------
>> dig @gtm1.lax.icann.org vip.icann.org DNSKEY +dnssec
>   <snip>
> ;; connection timed out; no servers could be reached
> 
>> dig @gtm1.lax.icann.org vip.icann.org DNSKEY +tcp +dnssec
> <very large DNSKEY RRSet and RRSIG>
> ------------------

It is not really possible for unbound to probe the PMTU trouble
everywhere; it is not DNS-OARC.  If you really have to you can configure
a workaround, the edns-size in unbound.conf to 1280 or so and then you
have less PMTU trouble.  It is better for the internet if you fix the
PMTU trouble (on your firewall, or from your provider).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN/1CWAAoJEJ9vHC1+BF+N6Y0QAKqwSWgLOjIQPOyikWQm7SAv
3pEjP9/vxhCgS+BTvqYj7exnUX8oa7wjmwLjhW+tqvCjM2eaT0fzx0WgQhWn/MWG
39/WfFZ/v4r8Q70R95TSL44YGbm7q3xnAfL6Fhmv8Dm0b7M1DL1vtsI5mtvv2Ht/
VmvWWP6SJswLdkcut1wRV5ldws6znBDSIJMQn2D0KDqXpn6JiptKl9UfEFQXvhk5
GGP46+EsqvirCblSgIBvX7mU3G5+yuxuozTdzIXWNbzkzKv14nZNSSQL8oU601rI
1cEYsXi3YyuvJq4glmE5f5Q16majIaaHPnLjKtmFt8YEaZKIq/oiK5H1dumy5TVS
wQJ0cjT/bF5B8ZmHDW6Bl/20+3P84yPgXOWfqxxOftp0EjqF2R5d9fxD3ZssLiVP
0g61uDBfuVB+03j1Dt61r8mfzlY0NPBkEKZuDpVl8WVS95wDJIjU9g5VxtjUSpq8
Dqii/ev62piAb1nL43BEip2Tq/27BsK8lDPEVE6d8HNqfEqbJzbHaw9lXM5Vbq/2
st41t4GNx0ESqMyKL3bkWHCh2Nnjs64ziInZxJUWKUeh6wSiG+LNWmRrz3suf7sP
fX7uV57iDjgNYiSwo6duvBzsf6fEZyE65fDWNK4u8uyc1KIsUQSvtlaUcy4xGn8j
yq8Lq26/X2728VVQy5GW
=21ef
-----END PGP SIGNATURE-----