EDNS Support

Home » CentOS » EDNS Support
CentOS 5 Comments

I am having problems with EDNS support on a few CentOS 6.3 bind servers. I am trying to determine if the problem is my Juniper SSG5
firewall of CentOS.

All the servers have firewall enabled, though I have tested with stopping iptables and ip6tables. I am using tests from:

https://www.dns-oarc.net/oarc/services/replysizetest

dig @localhost +short rs.dns-oarc.net txt

gets:

;; Truncated, retrying in TCP mode.

Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for CentOS or something like that…

5 thoughts on - EDNS Support

  • Robert Moskowitz wrote:

    As root, on a server running dhcpd but *not* bind (I only see rpcbind), I get
    ;; connection timed out; no servers could be reached on a system running 6.3, current.

    mark

  • Am 01.03.2013 16:56, schrieb Robert Moskowitz:

    With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140:

    [ts@dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt rst.x996.rs.dns-oarc.net. rst.x1956.x996.rs.dns-oarc.net. rst.x2442.x1956.x996.rs.dns-oarc.net.
    “Tested at 2013-03-01 16:18:18 UTC”
    “x.x.x.3 sent EDNS buffer size 4096”
    “x.x.x.3 DNS reply size limit is at least 2442”
    [ts@dns01 ~]$

    IPv6 works equally well:

    [ts@dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net.
    “x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096”
    “x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055”
    “Tested at 2013-03-01 16:21:29 UTC”
    [ts@dns01 ~]$

  • As I said, mine is the Juniper SSG5. I do have current firmware
    (supposedly) on it to fix an IPv6 outbound routing problem.

    SSG140 runs a different OS.

  • Am 01.03.2013 17:39, schrieb Robert Moskowitz:
    […]
    […]

    Yeah, sure. You asked for “anyone running bind” to run your test, so I
    did. If you wanted only results from people with a SSG5 you should have said so.

  • You are right. Sorry. I was a little rushed, but that is no reason for my reply. Thank you for the testing, it is pointing to the challenge being the SSG5.

    I got the unit from the developers for testing, and do not have a support contract, so I will probably have to wait until IETF in 2 weeks to sit down again with the developers to figure this out.

LEAVE A COMMENT