I am having problems with EDNS support on a few Centos 6.3 bind servers. I am trying to determine if the problem is my Juniper SSG5 firewall of Centos.
All the servers have firewall enabled, though I have tested with stopping iptables and ip6tables. I am using tests from:
https://www.dns-oarc.net/oarc/services/replysizetest
dig @localhost +short rs.dns-oarc.net txt
gets:
;; Truncated, retrying in TCP mode.
Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for Centos or something like that...
Robert Moskowitz wrote:
I am having problems with EDNS support on a few Centos 6.3 bind servers. I am trying to determine if the problem is my Juniper SSG5 firewall of Centos.
All the servers have firewall enabled, though I have tested with stopping iptables and ip6tables. I am using tests from:
https://www.dns-oarc.net/oarc/services/replysizetest
dig @localhost +short rs.dns-oarc.net txt
gets:
;; Truncated, retrying in TCP mode.
Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my
<snip> As root, on a server running dhcpd but *not* bind (I only see rpcbind), I get ;; connection timed out; no servers could be reached on a system running 6.3, current.
mark
Am 01.03.2013 16:56, schrieb Robert Moskowitz:
I am having problems with EDNS support on a few Centos 6.3 bind servers. I am trying to determine if the problem is my Juniper SSG5 firewall of Centos.
All the servers have firewall enabled, though I have tested with stopping iptables and ip6tables. I am using tests from:
https://www.dns-oarc.net/oarc/services/replysizetest
dig @localhost +short rs.dns-oarc.net txt
gets:
;; Truncated, retrying in TCP mode.
Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for Centos or something like that...
With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140:
[ts@dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt rst.x996.rs.dns-oarc.net. rst.x1956.x996.rs.dns-oarc.net. rst.x2442.x1956.x996.rs.dns-oarc.net. "Tested at 2013-03-01 16:18:18 UTC" "x.x.x.3 sent EDNS buffer size 4096" "x.x.x.3 DNS reply size limit is at least 2442" [ts@dns01 ~]$
IPv6 works equally well:
[ts@dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net. "x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096" "x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055" "Tested at 2013-03-01 16:21:29 UTC" [ts@dns01 ~]$
On 03/01/2013 11:25 AM, Tilman Schmidt wrote:
Am 01.03.2013 16:56, schrieb Robert Moskowitz:
I am having problems with EDNS support on a few Centos 6.3 bind servers. I am trying to determine if the problem is my Juniper SSG5 firewall of Centos.
All the servers have firewall enabled, though I have tested with stopping iptables and ip6tables. I am using tests from:
https://www.dns-oarc.net/oarc/services/replysizetest
dig @localhost +short rs.dns-oarc.net txt
gets:
;; Truncated, retrying in TCP mode.
Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for Centos or something like that...
With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140:
[ts@dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt rst.x996.rs.dns-oarc.net. rst.x1956.x996.rs.dns-oarc.net. rst.x2442.x1956.x996.rs.dns-oarc.net. "Tested at 2013-03-01 16:18:18 UTC" "x.x.x.3 sent EDNS buffer size 4096" "x.x.x.3 DNS reply size limit is at least 2442" [ts@dns01 ~]$
IPv6 works equally well:
[ts@dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net. "x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096" "x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055" "Tested at 2013-03-01 16:21:29 UTC" [ts@dns01 ~]$
As I said, mine is the Juniper SSG5. I do have current firmware (supposedly) on it to fix an IPv6 outbound routing problem.
SSG140 runs a different OS.
Am 01.03.2013 17:39, schrieb Robert Moskowitz:
On 03/01/2013 11:25 AM, Tilman Schmidt wrote:
Am 01.03.2013 16:56, schrieb Robert Moskowitz:
[...]
Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for Centos or something like that...
With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140:
[...]
As I said, mine is the Juniper SSG5. I do have current firmware (supposedly) on it to fix an IPv6 outbound routing problem.
SSG140 runs a different OS.
Yeah, sure. You asked for "anyone running bind" to run your test, so I did. If you wanted only results from people with a SSG5 you should have said so.
On 03/01/2013 05:03 PM, Tilman Schmidt wrote:
Am 01.03.2013 17:39, schrieb Robert Moskowitz:
On 03/01/2013 11:25 AM, Tilman Schmidt wrote:
Am 01.03.2013 16:56, schrieb Robert Moskowitz:
[...]
Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for Centos or something like that...
With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140:
[...]
As I said, mine is the Juniper SSG5. I do have current firmware (supposedly) on it to fix an IPv6 outbound routing problem.
SSG140 runs a different OS.
Yeah, sure. You asked for "anyone running bind" to run your test, so I did. If you wanted only results from people with a SSG5 you should have said so.
You are right. Sorry. I was a little rushed, but that is no reason for my reply. Thank you for the testing, it is pointing to the challenge being the SSG5.
I got the unit from the developers for testing, and do not have a support contract, so I will probably have to wait until IETF in 2 weeks to sit down again with the developers to figure this out.
-
m.roth@5-cent.us -
Robert Moskowitz -
Tilman Schmidt