[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Unable to parse mx record for epd.gov.hk

The issue with the MX queries for epd.gov.hk. is that the responses with DNSSEC enabled are quite large, and with the default EDNS0 4096 buffer size that Google Public DNS is currently using, the responses from ns1.hk.net and ns2.hk.net are fragmented and the Google Public DNS resolvers never receive them.

$ dig +tcp +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns1.hk.net
;; Query time: 191 msec
;; WHEN: Fri Nov 15 17:21:43 EST 2019
;; MSG SIZE  rcvd: 2418
$ dig +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns1.hk.net
;; connection timed out; no servers could be reached

As part of DNS Flag Day 2020, recursive resolvers can reduce problems due to blocked UDP DNS fragments by restricting the EDNS0 buffer size to 1232, and authoritative servers can help too, by limiting their response sizes to 1232 even if the client has asked for a larger response.

$ dig +bufsize=1232 +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns2.hk.net
;; Query time: 202 msec
;; WHEN: Fri Nov 15 17:24:19 EST 2019
;; MSG SIZE  rcvd: 1076

While there is currently no configuration for Google Public DNS that would allow us to force all queries to these two name servers to use smaller EDNS0 buffer size, we could mitigate the problem by switching to using TCP for all queries.

Alternately, and more efficiently, it may be possible to configure these two name servers to limit their responses to 1232 bytes (this can usually be done by just omitting optional records from the Additional section).

https://dnsflagday.net/2020/#how-to-test has instructions for some popular open source DNS authoritative name servers (listed below), and if the operators of the ns[12].hk.net name servers can apply one of these, it would solve the problem.

options {
  max-udp-size 1232;

Knot DNS
  max-udp-payload: 1232

PowerDNS Authoritative

  ipv4-edns-size: 1232
  ipv6-edns-size: 1232

You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/3e63f1e4-cc0b-4b67-a677-6d9d87013923%40googlegroups.com.