Re: EDNS (Re: Are the Servers of Spamhaus.rg and blackholes.us down?)

[bmanning () vacation karoshi com]

On Fri, Jan 01, 2010 at 09:44:13PM +0000, Paul Vixie wrote:
> Jason Bertoch <jason () i6ix com> writes:
>
> > > Dec 31 10:12:37 linux-1ij2 named[14306]: too many timeouts resolving
> > > 'XXX.YYY.ZZZ/A' (in 'YYY.ZZZ'?): disabling EDNS
> >
> > Do you have a firewall in front of this server that limits DNS packets to
> > 512 bytes?
>
> statistically speaking, yes, most people have that.  which is damnfoolery,
> but well supported by the vendors, who think either that udp/53 datagrams
> larger than 512 octets are amplification attacks, or that udp packets having
> no port numbers because they are fragments lacking any udp port information,
> are evil and dangerous.  sadly, noone has yet been fired for buying devices
> that implement this kind of overspecification.  hopefully that will change
> after the DNS root zone is signed and udp/53 responses start to generally
> include DNSSEC signatures, pushing most of them way over the 512 octet limit.
>
> it's going to be another game of chicken -- will the people who build and/or
> deploy such crapware lose their jobs, or will ICANN back down from DNSSEC?
> -- 
> Paul Vixie
> KI6YSY


        well, having been pushing vendors for a while on this, expect
        at least Checkpoint and Cisco to have corrected solutions fielded
        soon - and RedHat has fixed their DNSMASQ code since it was pointed 
        out to them that thier defaults were based on flawed assumptions.

        Not a lost cause - but the inertia of the installed base is huge and
        it will take more than the last six months of work to make a dent.
        It would help if the BIND EDNS0 negotiation would not fall back to the
        512 byte limit - perhaps you could talk with the ISC developers about 
        that.

--bill