[Unbound-users] problems resolving www.iana.org / ianawww.vip.icann.org
leen at consolejunkie.net
Mon Jun 20 23:09:53 UTC 2011
On 06/20/2011 03:52 PM, W.C.A. Wijngaards wrote:
> Hi Leen, Daisuke,
> On 06/18/2011 04:56 PM, Daisuke HIGASHI wrote:
> > Leen Besselink wrote:
> >> Is it just me or is Unbound 1.4.7 not able to resolve www.iana.org /
> > ianawww.vip.icann.org right now ?
> The reponses for this query, the DNSKEY and the A responses are over 3
> Kb. You likely have path MTU trouble. Something is wrong with your
> fragments. Perhaps you own firewall is set to stop UDP fragments?
> There is the OARC reply size tester to help with that.
> The error you see in your logs (I saw your attachments earlier, Leen),
> are that the system returns very short (0 byte?) UDP datagrams to
> unbound. Likely because of the UDP fragmentation issues, or less likely
> because of a server-error at icann.org nameservers.
> > Unbound with DNSSEC validation not able to resolve www.iana.org.
> > BIND9 manages to do it but takes long time because of many timeouts.
> All the time is because of the PMTU trouble. For the server it seems as
> if the packet has disappeared, and after a while, BIND and unbound
> attempt to use smaller packets. Where BIND does EDNS at 512 (and thus TCP
> and it works), Unbound does not implement EDNS at 512 (it is against
> standard and people oppose it) and thus turns off EDNS altogether, gets
> the response but without DNSSEC information, and thus returns SERVFAIL
> because it fails validation.
> > It seems that all NS in vip.icann.org returns broken response for
> > DNSKEY query with UDP. BIND9 retries query with TCP and gets complete
> > DNSKEY but Unbound does not.
> Yes, because of the different probe.
> > Despite vip.icann.org NS are broken, is Unbound behavior correct?
> > ------------------
> >> dig @gtm1.lax.icann.org vip.icann.org DNSKEY +dnssec
> > <snip>
> > ;; connection timed out; no servers could be reached
> >> dig @gtm1.lax.icann.org vip.icann.org DNSKEY +tcp +dnssec
> > <very large DNSKEY RRSet and RRSIG>
> > ------------------
> It is not really possible for unbound to probe the PMTU trouble
> everywhere; it is not DNS-OARC. If you really have to you can configure
> a workaround, the edns-size in unbound.conf to 1280 or so and then you
> have less PMTU trouble. It is better for the internet if you fix the
> PMTU trouble (on your firewall, or from your provider).
It is actually my normal home ISP-connection and a HE-tunnel and Unbound
is on the firewall itself,
it still took a lot of tries/time.
Have to say I was trying to 'debug' the problem from with unbound-host
behind the firewall, probably
not that smart. I've learned my lesson. :-)
The ISP-connection can usually get 'normal' 1500 MTU, the HE-tunnel
might obvisously not be able
to get that.
So over IPv4 the Unbound on the firewall should normally not have any
PMTU-issues on the first
I'll atleast know what to look for when it happends again, maybe
disable/look at account of some
firewall rules to see if that is the cause.
Thanks for taking a look,
> Best regards,
Unbound-users mailing list
Unbound-users at unbound.net
More information about the Unbound-users