Re: [DNSOP] m.root-servers.net DNSSEC TCP failures

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Wed, 17 March 2010 12:21 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B3033A67FD for <dnsop@core3.amsl.com>; Wed, 17 Mar 2010 05:21:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.624
X-Spam-Level:
X-Spam-Status: No, score=-5.624 tagged_above=-999 required=5 tests=[AWL=-0.155, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sf5mQX0zqEFj for <dnsop@core3.amsl.com>; Wed, 17 Mar 2010 05:21:46 -0700 (PDT)
Received: from fruitcake.ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU [192.150.186.11]) by core3.amsl.com (Postfix) with ESMTP id 6D9713A6A22 for <dnsop@ietf.org>; Wed, 17 Mar 2010 05:21:46 -0700 (PDT)
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id o2HCLumS014697; Wed, 17 Mar 2010 05:21:56 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
In-Reply-To: <4BA0C477.8000904@ogud.com>
Date: Wed, 17 Mar 2010 05:21:55 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2FEC4958-BD96-4845-8672-E442E3F48D82@icsi.berkeley.edu>
References: <3DBA4D6ECA684CE0AB62B1760AB64B65@localhost> <4BA0C477.8000904@ogud.com>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.1077)
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] m.root-servers.net DNSSEC TCP failures
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2010 12:21:48 -0000

A little more, from Comcast SF bay area:  

Its responding to large EDNS MTUs just fine for me:

dig +dnssec any . @m.root-servers.net
works (4096B MTU)

but with a 512B MTU (no EDNS) it doesn't because there is no working TCP:
dig any . @m.root-servers.net
;; Truncated, retrying in TCP mode.
;; Connection to 2001:dc3::35#53(2001:dc3::35) for . failed: host unreachable.
;; communications error to 202.12.27.33#53: connection reset

And its not an IPv6 error, nor specific to the ANY query for the instance I'm connecting to, because:

 dig +tcp NS . @202.12.27.33 
;; communications error to 202.12.27.33#53: connection reset


Traceroute for me (comcast, SF bay area):

 8  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.54)  18.236 ms  19.293 ms  18.971 ms
 9  xe-9-3-0-0.sjc10.ip4.tinet.net (213.200.80.165)  18.936 ms  17.631 ms  18.901 ms
10  xe-0-0-0.par20.ip4.tinet.net (89.149.187.165)  188.885 ms  170.598 ms
    xe-1-0-0.par20.ip4.tinet.net (89.149.187.169)  187.812 ms
11  213.200.76.38 (213.200.76.38)  174.631 ms  171.042 ms  170.649 ms
12  * 213.200.76.38 (213.200.76.38)  171.488 ms !X *
13  * 213.200.76.38 (213.200.76.38)  174.952 ms !X *
14  213.200.76.38 (213.200.76.38)  172.172 ms !X
 *  175.036 ms !X


My net has no filtering that I know of on DNS, either UDP or TCP:
http://n1.netalyzr.icsi.berkeley.edu/restore/id=43ca253f-32397-7e23ee37-14c3-4026-9f6b/rd