Re: Common operational misconceptions

[Mark Andrews <marka () isc org>]

In message <20120216165308.GE65401 () macbook bluepipe net>, Phil Regnauld writes:
>       Borderline dns-ops, sorry folks! - but this is interesting
>       as we've been talking about ipv6 being operational, and this
>       is part of it...
>
> Mark Andrews (marka) writes:
> > If you are seeing TC between the resolver and the server and the TCP query is being answers then
> > something in the path is intercepting the DNS queries.
>
>       TC is on the answer from the remote server to my resolver, so yeah, seems
>       like something is messing with the packets.
>
> > >   Don't see any v6 fragments (that'd be a problem since PF doesn't handle
> > >   them on this host).
> >
> > You should see something like this on the wire.  The second query is to answer
> > dig's query over TCP.
>
>       I'm not seeing fragments as you are.
>
>       Here's what I see:
>
> 14:40:20.955876 IP6 2001:2000:1080:d::2.64561 > 2001:4f8:0:2::8.53: 52841 TXT? edns-v6-ok.isc.org. (36)
> 14:40:21.141948 IP6 2001:4f8:0:2::8.53 > 2001:2000:1080:d::2.64561: 52841*-| 0/0/0 (36)
> 14:40:21.142259 IP6 2001:2000:1080:d::2.53262 > 2001:4f8:0:2::8.53: Flags [S], seq 1112939462, win 65535, optio
> ns [mss 1440,nop,wscale 6,sackOK,TS val 2571957531 ecr 0], length 0
> 14:40:21.327895 IP6 2001:4f8:0:2::8.53 > 2001:2000:1080:d::2.53262: Flags [R.], seq 0, ack 1112939463, win 0, l
> ength 0

Which means you are seeing named in fallback mode, or have configured named to not take EDNS to
this server.  In anycase your firewall is misconfigured/broken if it is blocking fragments.

>       Cheers,
>       Phil
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org