Common operational misconceptions
marka at isc.org
Thu Feb 16 20:22:42 UTC 2012
In message <20120216165308.GE65401 at macbook.bluepipe.net>, Phil Regnauld writes:
> Borderline dns-ops, sorry folks! - but this is interesting
> as we've been talking about ipv6 being operational, and this
> is part of it...
> Mark Andrews (marka) writes:
> > If you are seeing TC between the resolver and the server and the TCP query is being answers then
> > something in the path is intercepting the DNS queries.
> TC is on the answer from the remote server to my resolver, so yeah, seems
> like something is messing with the packets.
> > > Don't see any v6 fragments (that'd be a problem since PF doesn't handle
> > > them on this host).
> > You should see something like this on the wire. The second query is to answer
> > dig's query over TCP.
> I'm not seeing fragments as you are.
> Here's what I see:
> 14:40:20.955876 IP6 2001:2000:1080:d::2.64561 > 2001:4f8:0:2::8.53: 52841 TXT? edns-v6-ok.isc.org. (36)
> 14:40:21.141948 IP6 2001:4f8:0:2::8.53 > 2001:2000:1080:d::2.64561: 52841*-| 0/0/0 (36)
> 14:40:21.142259 IP6 2001:2000:1080:d::2.53262 > 2001:4f8:0:2::8.53: Flags [S], seq 1112939462, win 65535, optio
> ns [mss 1440,nop,wscale 6,sackOK,TS val 2571957531 ecr 0], length 0
> 14:40:21.327895 IP6 2001:4f8:0:2::8.53 > 2001:2000:1080:d::2.53262: Flags [R.], seq 0, ack 1112939463, win 0, l
> ength 0
Which means you are seeing named in fallback mode, or have configured named to not take EDNS to
this server. In anycase your firewall is misconfigured/broken if it is blocking fragments.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG