On 03/01/2013 11:25 AM, Tilman Schmidt wrote: > Am 01.03.2013 16:56, schrieb Robert Moskowitz: >> I am having problems with EDNS support on a few Centos 6.3 bind >> servers. I am trying to determine if the problem is my Juniper SSG5 >> firewall of Centos. >> >> All the servers have firewall enabled, though I have tested with >> stopping iptables and ip6tables. I am using tests from: >> >> https://www.dns-oarc.net/oarc/services/replysizetest >> >> dig @localhost +short rs.dns-oarc.net txt >> >> gets: >> >> ;; Truncated, retrying in TCP mode. >> >> Is anyone here running bind on their server and can run this command >> from the server? If you are not getting this truncation, then my >> problem is the firewall. If you are, then either you have figured out >> the majic for Centos or something like that... > With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140: > > [ts at dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt > rst.x996.rs.dns-oarc.net. > rst.x1956.x996.rs.dns-oarc.net. > rst.x2442.x1956.x996.rs.dns-oarc.net. > "Tested at 2013-03-01 16:18:18 UTC" > "x.x.x.3 sent EDNS buffer size 4096" > "x.x.x.3 DNS reply size limit is at least 2442" > [ts at dns01 ~]$ > > IPv6 works equally well: > > [ts at dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt > rst.x3827.rs.dns-oarc.net. > rst.x4049.x3827.rs.dns-oarc.net. > rst.x4055.x4049.x3827.rs.dns-oarc.net. > "x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096" > "x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055" > "Tested at 2013-03-01 16:21:29 UTC" > [ts at dns01 ~]$ As I said, mine is the Juniper SSG5. I do have current firmware (supposedly) on it to fix an IPv6 outbound routing problem. SSG140 runs a different OS.