I am having problems with EDNS support on a few Centos 6.3 bind servers. I am trying to determine if the problem is my Juniper SSG5 firewall of Centos. All the servers have firewall enabled, though I have tested with stopping iptables and ip6tables. I am using tests from: https://www.dns-oarc.net/oarc/services/replysizetest dig @localhost +short rs.dns-oarc.net txt gets: ;; Truncated, retrying in TCP mode. Is anyone here running bind on their server and can run this command from the server? If you are not getting this truncation, then my problem is the firewall. If you are, then either you have figured out the majic for Centos or something like that...
Robert Moskowitz wrote:> I am having problems with EDNS support on a few Centos 6.3 bind > servers. I am trying to determine if the problem is my Juniper SSG5 > firewall of Centos. > > All the servers have firewall enabled, though I have tested with > stopping iptables and ip6tables. I am using tests from: > > https://www.dns-oarc.net/oarc/services/replysizetest > > dig @localhost +short rs.dns-oarc.net txt > > gets: > > ;; Truncated, retrying in TCP mode. > > Is anyone here running bind on their server and can run this command > from the server? If you are not getting this truncation, then my<snip> As root, on a server running dhcpd but *not* bind (I only see rpcbind), I get ;; connection timed out; no servers could be reached on a system running 6.3, current. mark
Am 01.03.2013 16:56, schrieb Robert Moskowitz:> I am having problems with EDNS support on a few Centos 6.3 bind > servers. I am trying to determine if the problem is my Juniper SSG5 > firewall of Centos. > > All the servers have firewall enabled, though I have tested with > stopping iptables and ip6tables. I am using tests from: > > https://www.dns-oarc.net/oarc/services/replysizetest > > dig @localhost +short rs.dns-oarc.net txt > > gets: > > ;; Truncated, retrying in TCP mode. > > Is anyone here running bind on their server and can run this command > from the server? If you are not getting this truncation, then my > problem is the firewall. If you are, then either you have figured out > the majic for Centos or something like that...With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140: [ts at dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt rst.x996.rs.dns-oarc.net. rst.x1956.x996.rs.dns-oarc.net. rst.x2442.x1956.x996.rs.dns-oarc.net. "Tested at 2013-03-01 16:18:18 UTC" "x.x.x.3 sent EDNS buffer size 4096" "x.x.x.3 DNS reply size limit is at least 2442" [ts at dns01 ~]$ IPv6 works equally well: [ts at dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net. "x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096" "x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055" "Tested at 2013-03-01 16:21:29 UTC" [ts at dns01 ~]$ -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130301/6d3e532d/attachment-0002.sig>
On 03/01/2013 11:25 AM, Tilman Schmidt wrote:> Am 01.03.2013 16:56, schrieb Robert Moskowitz: >> I am having problems with EDNS support on a few Centos 6.3 bind >> servers. I am trying to determine if the problem is my Juniper SSG5 >> firewall of Centos. >> >> All the servers have firewall enabled, though I have tested with >> stopping iptables and ip6tables. I am using tests from: >> >> https://www.dns-oarc.net/oarc/services/replysizetest >> >> dig @localhost +short rs.dns-oarc.net txt >> >> gets: >> >> ;; Truncated, retrying in TCP mode. >> >> Is anyone here running bind on their server and can run this command >> from the server? If you are not getting this truncation, then my >> problem is the firewall. If you are, then either you have figured out >> the majic for Centos or something like that... > With bind-9.3.6-20.P1.el5_8.6 on CentOS 5.9 behind a Juniper SSG140: > > [ts at dns01 ~]$ dig @localhost +short rs.dns-oarc.net txt > rst.x996.rs.dns-oarc.net. > rst.x1956.x996.rs.dns-oarc.net. > rst.x2442.x1956.x996.rs.dns-oarc.net. > "Tested at 2013-03-01 16:18:18 UTC" > "x.x.x.3 sent EDNS buffer size 4096" > "x.x.x.3 DNS reply size limit is at least 2442" > [ts at dns01 ~]$ > > IPv6 works equally well: > > [ts at dns01 ~]$ dig @localhost6 +short rs.dns-oarc.net txt > rst.x3827.rs.dns-oarc.net. > rst.x4049.x3827.rs.dns-oarc.net. > rst.x4055.x4049.x3827.rs.dns-oarc.net. > "x:x:x:x:x:x:x:7509 sent EDNS buffer size 4096" > "x:x:x:x:x:x:x:7509 DNS reply size limit is at least 4055" > "Tested at 2013-03-01 16:21:29 UTC" > [ts at dns01 ~]$As I said, mine is the Juniper SSG5. I do have current firmware (supposedly) on it to fix an IPv6 outbound routing problem. SSG140 runs a different OS.