MTU woes and the merits of re-signing

Written by Roland van Rijswijk in category: General, Procedures

Two stories to learn from today…

MTU woes

I got some news last week that initially got me worried; several colleagues were experiencing DNS problems at home since our secure delegation had been made active (or so it seemed). They had big problems resolving names under the surfnet.nl domain.

We mounted an investigation and it soon became apparent that there was a common denominator shared between these colleagues: they all had the same ISP. Luckily, we were able to contact the ISP and convince them to look into it. They quickly came back to us with the cause: UDP packets over a certain size weren’t getting back to their resolvers… some network component had decided that fragmented UDP was bad UDP and was discarding large packets. Initially, the ISP suggested that we limit the packet size on our authoritative name servers. Although this sounds plausible, this is not a solution. They didn’t only have problems with our authoritative answers but also with other DNSSEC-signed domains. And tracking down every single one of them to convince them to lower their EDNS0 buffer size simply isn’t feasible — and it is solving a problem in your own network by letting other people change things. Luckily, we were able to convince them of this and they have now lowered their EDNS0 accepted buffer size and are looking into resolving the UDP fragment problem (which is the root cause).

The merits of re-signing

For the second time since becoming operational, the .be zone has DNSSEC trouble. Earlier this autumn, they had a problem where there zone (or parts of it) weren’t getting re-signed. Today, I noticed – because of a Nagios alarm triggered on one of our resolvers that only triggers if the failed validation rate exceeds a certain level – that I saw lots of validation failures for .be zones. It turns out that at least some of their NSEC3 records have expired signatures, which is very bad news. This affects all domains in the .be zone, not just the ones that are signed. And because of interconnectedness between domains because they share secondary name servers this also affects non .be domains (!).

This once again shows the importance of sound procedures and the importance of monitoring; it’s one thing to have a policy on when you re-sign, etc., it’s another to actually check that your policy becomes hard technical fact by regularly checking your zone as it goes out on the Internet…

Comments are closed