EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)

[bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)]

On Fri, Jan 01, 2010 at 09:44:13PM +0000, Paul Vixie wrote:
> Jason Bertoch <jason at i6ix.com> writes:
> 
> >> Dec 31 10:12:37 linux-1ij2 named[14306]: too many timeouts resolving
> >> 'XXX.YYY.ZZZ/A' (in 'YYY.ZZZ'?): disabling EDNS
> >
> > Do you have a firewall in front of this server that limits DNS packets to
> > 512 bytes?
> 
> statistically speaking, yes, most people have that.  which is damnfoolery,
> but well supported by the vendors, who think either that udp/53 datagrams
> larger than 512 octets are amplification attacks, or that udp packets having
> no port numbers because they are fragments lacking any udp port information,
> are evil and dangerous.  sadly, noone has yet been fired for buying devices
> that implement this kind of overspecification.  hopefully that will change
> after the DNS root zone is signed and udp/53 responses start to generally
> include DNSSEC signatures, pushing most of them way over the 512 octet limit.
> 
> it's going to be another game of chicken -- will the people who build and/or
> deploy such crapware lose their jobs, or will ICANN back down from DNSSEC?
> -- 
> Paul Vixie
> KI6YSY


	well, having been pushing vendors for a while on this, expect
	at least Checkpoint and Cisco to have corrected solutions fielded
	soon - and RedHat has fixed their DNSMASQ code since it was pointed 
	out to them that thier defaults were based on flawed assumptions.

	Not a lost cause - but the inertia of the installed base is huge and
	it will take more than the last six months of work to make a dent.
	It would help if the BIND EDNS0 negotiation would not fall back to the
	512 byte limit - perhaps you could talk with the ISC developers about 
	that.

--bill