[Dnsmasq-discuss] DNSSEC slow query / TCP/ truncated issue

[Simon Kelley]

On 14/08/2019 18:51, Dominic Preston wrote:
> On Wed, 14 Aug 2019 at 18:43, Simon Kelley <simon at thekelleys.org.uk> wrote:
>>
>> On 11/08/2019 21:01, Dominic Preston wrote:
>>> Hi,
>>>
>>> I have a fresh installation of Ubuntu 18.04 on Google Cloud Platform.
>>> I have compiled the latest version of dnsmasq with the following
>>> configuration:
>>>
>>> no-resolv
>>> server=8.8.8.8
>>> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
>>> dnssec
>>>
>>> I stop systemd-resolved, run dnsmasq and issue the following command:
>>>
>>> dig @127.0.0.1 pir.org
>>>
>>> After that there's a long pause, and the result comes back with the
>>> following line at the top of dig:
>>>
>>> ;; Truncated, retrying in TCP mode.
>>>
>>> dnsmasq log says:
>>>
>>> dnsmasq: reducing DNS packet size for nameserver 8.8.8.8 to 1280
>>>
>>> If I run this, dig comes back immediately with no pause and no TCP mode:
>>>
>>> dig @8.8.8.8 pir.org
>>>
>>> Any ideas why the first dig command has problems and the second dig
>>> command is fine?
>>>
>>> Thanks in advance.
>>>
>>
>>
>> It's likely that the MTU for the path from 8.8.8.8 to you it limited,
>> and  a reply for one of the queries needed to verify the query is
>> getting dropped. Hence dnsmasq reduces the packet size to the more
>> conservative 1280, and the query has to be done over TCP.
>>
>> It works fast the second time because the information you're asking for
>> is cached by dnsmasq.
>>
>> Cheers,
>>
>> Simon.
>>
> 
> Thanks Simon, that makes sense.
> 
> Is there a straightforward (non dnsmasq) network command I can run so
> I can demonstrate this MTU issue to the Google Cloud team?
> 

First step is to turn on --log-queries in dnsmasq and run the query to
provoke the problem. That should tell you which of the replies in the
chain-of-trust is oversize.

Simon.