Maintained by: NLnet Labs

[Unbound-users] faa.gov is not resolvable using DNSSEC resolver.

W.C.A. Wijngaards
Mon Oct 10 20:19:49 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jamal,

Your trace shows that unbound thinks the connection drops MTU 1500+
packets.  Faa.gov uses large keys and has a lot of answers above 1480 -
i.e. DNSKEY, NXDOMAIN answers.  Thus your trouble likely stems from
fragmentation issues.  Your server cannot receive UDP DNS responses that
are larger than 1480 or so.

A simple dig @..faaserver faa.gov DNSKEY +dnssec from the server shows
the timeout it produces, likely.

The best solution is to fix the path that is dropping UDP fragments.
Fix your firewall, upgrade it, change cisco router rules on old
equipment.  It must be close to your end, because I can get the
fragments just fine.  This is the best fix, because it allows your
server to run better with large responses, and generally cleans up your
network.

The workaround is edns-buffer-size: 1280 in unbound.conf.

A code fix, is in svn trunk development version of unbound.  That
version should fallback to smaller edns size automatically for you.

And there are useful MTU size test sites out there too.

Best regards,
   Wouter

On 10/10/2011 04:41 PM, Bouzeryouh, Jamal wrote:
> Hi,
>  
> www.faa.gov <http://www.faa.gov>can be resolved using a None DNSSEC to
> 2.20.116.95. However, I failed to resolve this domain using a DNSSEC
> Unbound-1.4.10 resolver.
> The attached trace is the logging of "dig localhost faa.gov" in debug
> level 5 (Verbosity).
>  
> Do you have any idea why this domain is not resolvable using DNS SEC?
>  
> Thanks in adv.
>  
> Jamal Bouzeryouh
>  
> System Engineer OPS-Data
> T-Mobile Netherlands BV
>  
> 
> ********************************************************************************
> 
> 
> N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke
> VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer
> 
> This e-mail and its contents are subject to a DISCLAIMER with important
> RESERVATIONS: see http://www.t-mobile.nl/disclaimer
> 
> ********************************************************************************
> 
> 
>  
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOkzdFAAoJEJ9vHC1+BF+NyoUP/izrQib++I/b+yLTLUL2QC4g
MIWVIrJEhvL+KJZindEF/PhUfowkoa7EqWqaJAfispr4ILswRUyQdgJGFqP7F7uK
7vKMmuIwsMwLMnt3xYUuL+laVdkL+JS5HMexF7vauq+X8RH/z81bkHUgpcyH8clf
0rttQmETddM/LSSh7LXgDOViIE+fNnRaebKWv6fxMTRhFuiqaZBG1sk3gnwMcQo5
8zoGEbQyj3a7n4wLWwAXBfuuSPqNABdoQfqJOfIRqFQ6kG8ju90edNvD4seT3NDc
mMuR186kpQdddc669QUOEdeuE8aRUySPsrb+ru2tdEFjjzFtiHyz/nD9+p454RYA
S7whCTPg01wY+KQaoTx1mzR2BJPONwObHTu5w7rPxRUtPJIf/woeYXvrpJPtgTaf
DZJbxV7bsunRz2ESXAvu2yKXugWOdUk7YxWDXdn6pZzttdzwW5QNmemE+7wISMzC
bl+cpnEH1F1TVHj88qKU32vdYROSBLg7KLuyJTybTeMgpZ10wQljPDlmBjkeYgYt
DwL+qDJho5ooe2RAwaFvZuL85L1o9Eu0hVh+Bx5j9vQ1TRnOeInRbNC6ryUxQcJv
cgc5c/5jJiRsy6mcGMgKNiQrFCcn37VSP1zoCrNAnCHf1JXM2I3eGANBH7QG/Hlq
iesT5a1oi5Akf19smYsG
=k+Fa
-----END PGP SIGNATURE-----