Home page logo
/

nanog logo nanog mailing list archives

Re: Common operational misconceptions
From: Mark Andrews <marka () isc org>
Date: Fri, 17 Feb 2012 00:51:26 +1100


In message <20120216.130143.74691634.sthaug () nethelp no>, sthaug () nethelp no writes:
If you want to know if your resolver talks IPv6 to the world and
supports 4096 EDNS UDP messages the following query will tell you.

            dig edns-v6-ok.isc.org txt

Similarly for IPv4.

            dig edns-v4-ok.isc.org txt

Both PowerDNS recursor 3.3 and Nominum CNS 3.0.5 have problems
with these queries. They both get the TC answer from 149.20.64.58 /
2001:4f8:0:2::8. Then:

I stated very clearly the conditions under which the queries would
resolve.
 
- CNS tries with 4000 EDNS UDP size (4000 is the CNS documented max
UDP size), gets another TC.

- PowerDNS doesn't try to used EDNS at all.

Then they both try TCP and get a RST. And then they return SERVFAIL.

Correct. Those servers are deliberately configured to not answer
TCP as they are for testing the EDNS UDP path.  They also put out
a answer that will exactly fill a 4096 byte EDNS UDP message which
is the default and largest EDNS UDP size advertised by named.  This
allows someone running named to test their firewall configuration
to ensure that it will let through any EDNS UDP reply, size wise,
that can occur.  As IPv4 and IPv6 are often configured independently
we provide a way to test each independently.


Steinar Haug, Nethelp consulting, sthaug () nethelp no
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault