trouble with .gov dns?

Hi Folks,

Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?

Here's what I'm seeing:

No edns-udp-size setting.
tcpdump -n -s 0 -vv -i eth1 host 209.112.123.30 or host 69.36.157.30
nslookup www.nsf.gov 127.0.0.1

11:42:36.574916 IP (tos 0x0, ttl 64, id 21833, offset 0, flags [none],
proto UDP (17), length 68) 71.246.241.146.10399 > 69.36.157.30.53:
[udp sum ok] 56983 [1au] A? www.nsf.gov. ar: . OPT UDPsize=4096 OK
(40)
11:42:36.659636 IP (tos 0x0, ttl 249, id 54334, offset 0, flags
[none], proto UDP (17), length 598) 69.36.157.30.53 >
71.246.241.146.10399: [udp sum ok] 56983- q: A? www.nsf.gov. 0/7/5 ns:
nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS
cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov.
DS, nsf.gov. RRSIG ar: swirl.nsf.gov. A 198.181.231.15, whirl.nsf.gov.
A 198.181.231.16, cyclone.nsf.gov. A 204.14.134.227, twister.nsf.gov.
A 198.181.231.17, . OPT UDPsize=1472 (570)

edns-udp-size 512
tcpdump -n -s 0 -vv -i eth1 host 209.112.123.30 or host 69.36.157.30
nslookup www.nsf.gov 127.0.0.1
11:53:01.604105 IP (tos 0x0, ttl 64, id 21834, offset 0, flags [none],
proto UDP (17), length 68) 71.246.241.146.58103 > 69.36.157.30.53:
[udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=512 OK (40)
11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags
[none], proto UDP (17), length 534) 69.36.157.30.53 >
71.246.241.146.58103: [udp sum ok] 10320- q: A? www.nsf.gov. 0/7/1 ns:
nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS
cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov.
DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (506)
11:53:01.695000 IP (tos 0x0, ttl 64, id 20662, offset 0, flags [none],
proto UDP (17), length 70) 71.246.241.146.23911 > 209.112.123.30.53:
[udp sum ok] 18982% [1au] A? whirl.nsf.gov. ar: . OPT UDPsize=512 OK
(42)
11:53:01.695489 IP (tos 0x0, ttl 64, id 20663, offset 0, flags [none],
proto UDP (17), length 70) 71.246.241.146.63892 > 209.112.123.30.53:
[udp sum ok] 3675% [1au] AAAA? whirl.nsf.gov. ar: . OPT UDPsize=512 OK
(42)
11:53:01.695931 IP (tos 0x0, ttl 64, id 20664, offset 0, flags [none],
proto UDP (17), length 70) 71.246.241.146.37019 > 209.112.123.30.53:
[udp sum ok] 36777% [1au] A? swirl.nsf.gov. ar: . OPT UDPsize=512 OK
(42)
11:53:01.696274 IP (tos 0x0, ttl 64, id 20665, offset 0, flags [none],
proto UDP (17), length 70) 71.246.241.146.15021 > 209.112.123.30.53:
[udp sum ok] 13755% [1au] AAAA? swirl.nsf.gov. ar: . OPT UDPsize=512
OK (42)
11:53:01.696653 IP (tos 0x0, ttl 64, id 20666, offset 0, flags [none],
proto UDP (17), length 72) 71.246.241.146.38082 > 209.112.123.30.53:
[udp sum ok] 14449% [1au] A? cyclone.nsf.gov. ar: . OPT UDPsize=512 OK
(44)
11:53:01.697045 IP (tos 0x0, ttl 64, id 20667, offset 0, flags [none],
proto UDP (17), length 72) 71.246.241.146.28219 > 209.112.123.30.53:
[udp sum ok] 38858% [1au] AAAA? cyclone.nsf.gov. ar: . OPT UDPsize=512
OK (44)
11:53:01.699294 IP (tos 0x0, ttl 64, id 20668, offset 0, flags [none],
proto UDP (17), length 72) 71.246.241.146.50745 > 209.112.123.30.53:
[udp sum ok] 53248% [1au] A? twister.nsf.gov. ar: . OPT UDPsize=512 OK
(44)
11:53:01.700257 IP (tos 0x0, ttl 64, id 20669, offset 0, flags [none],
proto UDP (17), length 72) 71.246.241.146.21482 > 209.112.123.30.53:
[udp sum ok] 56185% [1au] AAAA? twister.nsf.gov. ar: . OPT UDPsize=512
OK (44)
11:53:01.780833 IP (tos 0x0, ttl 251, id 9453, offset 0, flags [none],
proto UDP (17), length 536) 209.112.123.30.53 > 71.246.241.146.23911:
[udp sum ok] 18982- q: A? whirl.nsf.gov. 0/7/1 ns: nsf.gov. NS
swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS
cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov.
DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508)
11:53:01.781284 IP (tos 0x0, ttl 251, id 24142, offset 0, flags
[none], proto UDP (17), length 536) 209.112.123.30.53 >
71.246.241.146.63892: [udp sum ok] 3675- q: AAAA? whirl.nsf.gov. 0/7/1
ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov.
NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS,
nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508)
11:53:01.781999 IP (tos 0x0, ttl 251, id 9454, offset 0, flags [none],
proto UDP (17), length 536) 209.112.123.30.53 > 71.246.241.146.37019:
[udp sum ok] 36777- q: A? swirl.nsf.gov. 0/7/1 ns: nsf.gov. NS
swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS
cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov.
DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508)
11:53:01.782136 IP (tos 0x0, ttl 251, id 24143, offset 0, flags
[none], proto UDP (17), length 536) 209.112.123.30.53 >
71.246.241.146.15021: [udp sum ok] 13755- q: AAAA? swirl.nsf.gov.
0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov.,
nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov.
DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508)
11:53:01.782552 IP (tos 0x0, ttl 251, id 9455, offset 0, flags [none],
proto UDP (17), length 538) 209.112.123.30.53 > 71.246.241.146.38082:
[udp sum ok] 14449- q: A? cyclone.nsf.gov. 0/7/1 ns: nsf.gov. NS
swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS
cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov.
DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510)
11:53:01.782937 IP (tos 0x0, ttl 251, id 24144, offset 0, flags
[none], proto UDP (17), length 538) 209.112.123.30.53 >
71.246.241.146.28219: [udp sum ok] 38858- q: AAAA? cyclone.nsf.gov.
0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov.,
nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov.
DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510)
11:53:01.785168 IP (tos 0x0, ttl 251, id 9456, offset 0, flags [none],
proto UDP (17), length 538) 209.112.123.30.53 > 71.246.241.146.50745:
[udp sum ok] 53248- q: A? twister.nsf.gov. 0/7/1 ns: nsf.gov. NS
swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS
cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov.
DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510)
11:53:01.786251 IP (tos 0x0, ttl 251, id 24145, offset 0, flags
[none], proto UDP (17), length 538) 209.112.123.30.53 >
71.246.241.146.21482: [udp sum ok] 56185- q: AAAA? twister.nsf.gov.
0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov.,
nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov.
DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (510)

So with edns-udp-size set to 512 it looks like the .gov servers
(a.gov-servers.net, b.gov-servers.net) refuse to ever return the
necessary glue for the nsf.gov DNS servers. Am I reading this right?

Thanks,
Bill Herrin

* William Herrin:

Anyone else having trouble with .gov DNS failing with edns-udp-size
set to 512?

You need an UDP size of at least 1220 for DNSSEC, see RFC 3226,
section 3. A query that advertises a smaller buffer size is
non-compliant. BIND will send such queries, but this is a
controversial feature.

This has been noted before, for example:

Hi Florian,

I have "dnssec-enable no;" in my bind config. Were you able to
determine from the tcpdump output that DNSSEC was being requested?
How?

Thanks,
Bill Herrin

* William Herrin:

* William Herrin:

Anyone else having trouble with .gov DNS failing with edns-udp-size
set to 512?

You need an UDP size of at least 1220 for DNSSEC, see RFC 3226,
section 3. A query that advertises a smaller buffer size is
non-compliant. BIND will send such queries, but this is a
controversial feature.

I have "dnssec-enable no;" in my bind config.

It does not seem to have the intended effect.

Were you able to determine from the tcpdump output that DNSSEC was
being requested?

[udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=512 OK (40)
11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags

"OK" means that DO=1 was set.

Hmm. You're right. Bind won't disable DNSSEC unless you turn edns off
completely with:

server 0.0.0.0/0 {
  edns no;
};

Thanks for the info!

Regards,
Bill Herrin

BIND's interpretation of the DO bit is "I understand DNSSEC RRs so it is
OK to send them" not "I would like you to send DNSSEC RRs". This is why it
always sets the DO bit when it can, i.e. when the request contains an EDNS
OPT pseudo-RR.

Tony.

And nameservers that don't set TC when they can't fit glue are
broken RFC 1034.

* Tony Finch:

* Mark Andrews:

You need an UDP size of at least 1220 for DNSSEC, see RFC 3226,
section 3. A query that advertises a smaller buffer size is
non-compliant. BIND will send such queries, but this is a
controversial feature.

This has been noted before, for example:

From: Mark Andrews <marka@isc.org>
Subject: [dnsext] Failure to add glue MUST cause TC to be set.
To: dnsext@ietf.org
Date: Sun, 20 Feb 2011 08:07:15 +1100
Message-Id: <20110219210716.72943A5602B@drugs.dv.isc.org>

And nameservers that don't set TC when they can't fit glue are
broken RFC 1034.

Only if they produce such answers in response to compliant queries.

I would go even further---the DO bit is not about DNSSEC at all.

Err, yes it is.

The
resolver just promises to ignore any ancillary record sets it does not
understand.

How people implement RFC 3225 does differ from the intent of the author, however I would be surprised if this is what DO is taken to mean in any resolver.

If DO were about DNSSEC, a new flag would have been
introduced along with DNSSECbis, where the record types changed so
that for resolvers implementing the older protocol, the DNSSECbis
records just looked like garbage.

You're suggesting RFC 3225 should have predicted DNSSECbis? Would it help if the interpretation of DO is that indicates the resolver supports "DNSSEC as defined at the time"?

This probably isn't the right venue for this discussion.

Regards,
-drc

Hi David,

I'm going to go with Mark's answer: "nameservers that don't set TC
[truncated bit] when they can't fit glue are broken RFC 1034." When
that happens to be both TLD servers for a particular TLD (.gov), I'm
calling that an operational issue.

I have a workaround. I'm happy. But the folks running gov-servers.net
*really* ought to have a discussion with their vendor.

Regards,
Bill Herrin

* David Conrad:

I would go even further---the DO bit is not about DNSSEC at all.

Err, yes it is.

I know you think it is, but you're wrong if you look at the overall
protocol.

If DO were about DNSSEC, a new flag would have been
introduced along with DNSSECbis, where the record types changed so
that for resolvers implementing the older protocol, the DNSSECbis
records just looked like garbage.

You're suggesting RFC 3225 should have predicted DNSSECbis?

Not quite. If DO was about DNSSEC in the strictest possible sense,
then it would not have been possible to reuse the flag for DNSSECbis,
which hasn't got anything in common with DNSSEC as far as the wire
types are concerned. For a original-DNSSEC-supporting resolver, they
look like garbage, just as the original DNSSEC records for some of the
resolvers back then. So if DO referred to a specific set of record
types (the original DNSSEC ones), you'd need a new flag for DNSSECbis.
But this wasn't done, so DO does not cover a specific set of record
types, and it is therefore not tied to a particular DNS protocol
extension, including DNSSEC.

This is becoming a thread-to-the-death over a general weakness in the DNS protocol. (Realizing this mailing list is NANOG, not an IETF one.) Like it or not, "versioning" and "negotiation" are poor-to-non-existent in DNS. What's happening here is a document author (David) meant one thing and implementations (e.g., BIND) interpreting the document another way. It doesn't matter that David is right (in that he meant it another way, and the way is what the WG meant), it more matters that the ship has sailed on "fixing" this in implementations. And frankly, the fix isn't that important in retrospect because what the implementers did is actually ok, we can and we do live nicely with it.

I'm pleased to report that the fix for this problem was finally deployed,
as of yesterday. You should now find TC=1 in responses from the .gov name
servers when the glue won't fit:

    $ dig +dnssec +bufsize=512 @a.gov-servers.net www.nsf.gov a
    ;; Truncated, retrying in TCP mode.
    ....

Duane W.