ipp.gov and Google DNS (126.96.36.199)
guu at google.com
Thu May 30 18:35:54 UTC 2013
On Thu, May 30, 2013 at 2:17 PM, Casey Deccio <casey at deccio.net> wrote:
> On Thu, May 30, 2013 at 9:22 AM, Yunhong Gu <guu at google.com> wrote:
> > Google resolvers got no response (i.e. timeout) for ipp.gov/dnskey from
> > authoritative name servers. If there is anyone on this list who manages
> > ipp.gov DNS servers, please take a look. Our resolver IPs can be found
> > https://developers.google.com/speed/public-dns/faq#locations.
> I get a response for DNSKEY just fine*. However, the payload of the
> response is 1279 bytes, and Google's resolvers set the maximum UDP
> receive payload to 1232, which results in the truncated response.
> Unfortunately, the ipp.gov servers don't respond over TCP, so the
> resolvers aren't able to retrieve ipp.gov/DNSKEY.
Thanks, I suspected this problem but tried to verify using a wrong buffer
size by mistake.
> The problem here is that the ipp.gov servers aren't responding on
> TCP/53. But of curiosity, why a max payload size of 1232 for the
> Google resolvers? It seems like that would result in a lot more TCP
> transactions (and overhead) for queries to signed zones.
There is still chance for fragmented UDP responses to get dropped nowadays,
so we want response in single UDP packets or otherwise from TCP. Overhead
should be insignificant due to the cache in resolvers. That being said, we
are testing 4k max UDP buffer and may turn it on in the near future.
> * Although, that's only if the DO bit is set; interestingly, if I
> don't set the DO bit, the response times out.
More information about the NANOG