[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)

Subject: EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)
From: vixie at isc.org (Paul Vixie)
Date: Fri, 01 Jan 2010 21:44:13 +0000
In-reply-to: <[email protected]> (Jason Bertoch's message of "Thu\, 31 Dec 2009 09\:22\:12 -0500")
References: <000001ca8a07$cc3749a0$8262d15b@Asus> <[email protected]>

Jason Bertoch <jason at i6ix.com> writes:

>> Dec 31 10:12:37 linux-1ij2 named[14306]: too many timeouts resolving
>> 'XXX.YYY.ZZZ/A' (in 'YYY.ZZZ'?): disabling EDNS
>
> Do you have a firewall in front of this server that limits DNS packets to
> 512 bytes?

statistically speaking, yes, most people have that.  which is damnfoolery,
but well supported by the vendors, who think either that udp/53 datagrams
larger than 512 octets are amplification attacks, or that udp packets having
no port numbers because they are fragments lacking any udp port information,
are evil and dangerous.  sadly, noone has yet been fired for buying devices
that implement this kind of overspecification.  hopefully that will change
after the DNS root zone is signed and udp/53 responses start to generally
include DNSSEC signatures, pushing most of them way over the 512 octet limit.

it's going to be another game of chicken -- will the people who build and/or
deploy such crapware lose their jobs, or will ICANN back down from DNSSEC?
-- 
Paul Vixie
KI6YSY

Follow-Ups:
- EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)
  - From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)
- EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)
  - From: brunner at nic-naa.net (Eric Brunner-Williams)

Prev by Date: Weekly Routing Table Report
Next by Date: The Cidr Report
Previous by thread: Weekly Routing Table Report
Next by thread: EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)
Index(es):
- Date
- Thread