Home page logo

nanog logo nanog mailing list archives

Re: EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)
From: bmanning () vacation karoshi com
Date: Fri, 1 Jan 2010 22:16:31 +0000

On Fri, Jan 01, 2010 at 09:44:13PM +0000, Paul Vixie wrote:
Jason Bertoch <jason () i6ix com> writes:

Dec 31 10:12:37 linux-1ij2 named[14306]: too many timeouts resolving
'XXX.YYY.ZZZ/A' (in 'YYY.ZZZ'?): disabling EDNS

Do you have a firewall in front of this server that limits DNS packets to
512 bytes?

statistically speaking, yes, most people have that.  which is damnfoolery,
but well supported by the vendors, who think either that udp/53 datagrams
larger than 512 octets are amplification attacks, or that udp packets having
no port numbers because they are fragments lacking any udp port information,
are evil and dangerous.  sadly, noone has yet been fired for buying devices
that implement this kind of overspecification.  hopefully that will change
after the DNS root zone is signed and udp/53 responses start to generally
include DNSSEC signatures, pushing most of them way over the 512 octet limit.

it's going to be another game of chicken -- will the people who build and/or
deploy such crapware lose their jobs, or will ICANN back down from DNSSEC?
Paul Vixie

        well, having been pushing vendors for a while on this, expect
        at least Checkpoint and Cisco to have corrected solutions fielded
        soon - and RedHat has fixed their DNSMASQ code since it was pointed 
        out to them that thier defaults were based on flawed assumptions.

        Not a lost cause - but the inertia of the installed base is huge and
        it will take more than the last six months of work to make a dent.
        It would help if the BIND EDNS0 negotiation would not fall back to the
        512 byte limit - perhaps you could talk with the ISC developers about 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]