[CentOS] EDNS support

Fri Mar 1 16:39:37 UTC 2013
Robert Moskowitz <rgm at htt-consult.com>

On 03/01/2013 11:25 AM, Tilman Schmidt wrote:
> Am 01.03.2013 16:56, schrieb Robert Moskowitz:
>> I am having problems with EDNS support on a few Centos 6.3 bind
>> servers.  I am trying to determine if the problem is my Juniper SSG5
>> firewall of Centos.
>>
>> All the servers have firewall enabled, though I have tested with
>> stopping iptables and ip6tables.  I am using tests from:
>>
>> https://www.dns-oarc.net/oarc/services/replysizetest
>>
>> dig @localhost +short rs.dns-oarc.net txt
>>
>> gets:
>>
>> ;; Truncated, retrying in TCP mode.
>>
>> Is anyone here running bind on their server and can run this command
>> from the server?  If you are not getting this truncation, then my
>> problem is the firewall.  If you are, then either you have figured out
>> the  majic for Centos or something like that...
> With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140:
>
> [ts at dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt
> rst.x996.rs.dns-oarc.net.
> rst.x1956.x996.rs.dns-oarc.net.
> rst.x2442.x1956.x996.rs.dns-oarc.net.
> "Tested at 2013-03-01 16:18:18 UTC"
> "x.x.x.3 sent EDNS buffer size 4096"
> "x.x.x.3 DNS reply size limit is at least 2442"
> [ts at dns01 ~]$
>
> IPv6 works equally well:
>
> [ts at dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt
> rst.x3827.rs.dns-oarc.net.
> rst.x4049.x3827.rs.dns-oarc.net.
> rst.x4055.x4049.x3827.rs.dns-oarc.net.
> "x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096"
> "x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055"
> "Tested at 2013-03-01 16:21:29 UTC"
> [ts at dns01 ~]$

As I said, mine is the Juniper SSG5.  I do have current firmware 
(supposedly) on it to fix an IPv6 outbound routing problem.

SSG140 runs a different OS.