On 03/01/2013 11:25 AM, Tilman Schmidt wrote:
Am 01.03.2013 16:56, schrieb Robert Moskowitz:
I am having problems with EDNS support on a few Centos 6.3 bind servers. I am trying to determine if the problem is my Juniper SSG5 firewall of Centos.
All the servers have firewall enabled, though I have tested with stopping iptables and ip6tables. I am using tests from:
https://www.dns-oarc.net/oarc/services/replysizetest
dig @localhost +short rs.dns-oarc.net txt
gets:
;; Truncated, retrying in TCP mode.
Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for Centos or something like that...
With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140:
[ts@dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt rst.x996.rs.dns-oarc.net. rst.x1956.x996.rs.dns-oarc.net. rst.x2442.x1956.x996.rs.dns-oarc.net. "Tested at 2013-03-01 16:18:18 UTC" "x.x.x.3 sent EDNS buffer size 4096" "x.x.x.3 DNS reply size limit is at least 2442" [ts@dns01 ~]$
IPv6 works equally well:
[ts@dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net. "x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096" "x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055" "Tested at 2013-03-01 16:21:29 UTC" [ts@dns01 ~]$
As I said, mine is the Juniper SSG5. I do have current firmware (supposedly) on it to fix an IPv6 outbound routing problem.
SSG140 runs a different OS.