Maintained by: NLnet Labs

[Unbound-users] faa.gov is not resolvable using DNSSEC resolver.

Chris Gotstein
Mon Oct 10 21:06:33 CEST 2011


I'm seeing the same issues with faa.gov.  I had similar issues with .gov 
addresses a few months ago, problem was with an ACL rule dropping 
fragmented packets.  Removed that rule and things start working again. 
I do not see any other MTU or fragment issues on our network, yet we 
cannot resolve faa.gov.

On 10/10/2011 1:19 PM, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Jamal,
>
> Your trace shows that unbound thinks the connection drops MTU 1500+
> packets.  Faa.gov uses large keys and has a lot of answers above 1480 -
> i.e. DNSKEY, NXDOMAIN answers.  Thus your trouble likely stems from
> fragmentation issues.  Your server cannot receive UDP DNS responses that
> are larger than 1480 or so.
>
> A simple dig @..faaserver faa.gov DNSKEY +dnssec from the server shows
> the timeout it produces, likely.
>
> The best solution is to fix the path that is dropping UDP fragments.
> Fix your firewall, upgrade it, change cisco router rules on old
> equipment.  It must be close to your end, because I can get the
> fragments just fine.  This is the best fix, because it allows your
> server to run better with large responses, and generally cleans up your
> network.
>
> The workaround is edns-buffer-size: 1280 in unbound.conf.
>
> A code fix, is in svn trunk development version of unbound.  That
> version should fallback to smaller edns size automatically for you.
>
> And there are useful MTU size test sites out there too.
>
> Best regards,
>     Wouter
>
> On 10/10/2011 04:41 PM, Bouzeryouh, Jamal wrote:
>> Hi,
>>
>> www.faa.gov<http://www.faa.gov>can be resolved using a None DNSSEC to
>> 2.20.116.95. However, I failed to resolve this domain using a DNSSEC
>> Unbound-1.4.10 resolver.
>> The attached trace is the logging of "dig localhost faa.gov" in debug
>> level 5 (Verbosity).
>>
>> Do you have any idea why this domain is not resolvable using DNS SEC?
>>
>> Thanks in adv.
>>
>> Jamal Bouzeryouh
>>
>> System Engineer OPS-Data
>> T-Mobile Netherlands BV
>>
>>
>> ********************************************************************************
>>
>>
>> N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke
>> VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer
>>
>> This e-mail and its contents are subject to a DISCLAIMER with important
>> RESERVATIONS: see http://www.t-mobile.nl/disclaimer
>>
>> ********************************************************************************
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.15 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJOkzdFAAoJEJ9vHC1+BF+NyoUP/izrQib++I/b+yLTLUL2QC4g
> MIWVIrJEhvL+KJZindEF/PhUfowkoa7EqWqaJAfispr4ILswRUyQdgJGFqP7F7uK
> 7vKMmuIwsMwLMnt3xYUuL+laVdkL+JS5HMexF7vauq+X8RH/z81bkHUgpcyH8clf
> 0rttQmETddM/LSSh7LXgDOViIE+fNnRaebKWv6fxMTRhFuiqaZBG1sk3gnwMcQo5
> 8zoGEbQyj3a7n4wLWwAXBfuuSPqNABdoQfqJOfIRqFQ6kG8ju90edNvD4seT3NDc
> mMuR186kpQdddc669QUOEdeuE8aRUySPsrb+ru2tdEFjjzFtiHyz/nD9+p454RYA
> S7whCTPg01wY+KQaoTx1mzR2BJPONwObHTu5w7rPxRUtPJIf/woeYXvrpJPtgTaf
> DZJbxV7bsunRz2ESXAvu2yKXugWOdUk7YxWDXdn6pZzttdzwW5QNmemE+7wISMzC
> bl+cpnEH1F1TVHj88qKU32vdYROSBLg7KLuyJTybTeMgpZ10wQljPDlmBjkeYgYt
> DwL+qDJho5ooe2RAwaFvZuL85L1o9Eu0hVh+Bx5j9vQ1TRnOeInRbNC6ryUxQcJv
> cgc5c/5jJiRsy6mcGMgKNiQrFCcn37VSP1zoCrNAnCHf1JXM2I3eGANBH7QG/Hlq
> iesT5a1oi5Akf19smYsG
> =k+Fa
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-- 
---- ---- ---- ----
Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P.
http://uplogon.com | +1 906 774 4847 | chris at uplogon.com