[Dnsmasq-discuss] DNSSEC slow query / TCP/ truncated issue

Dominic Preston lzqhwo at gmail.com
Wed Aug 14 22:02:20 BST 2019


On Wed, 14 Aug 2019 at 21:47, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
> On 14/08/2019 18:51, Dominic Preston wrote:
> > On Wed, 14 Aug 2019 at 18:43, Simon Kelley <simon at thekelleys.org.uk> wrote:
> >>
> >> On 11/08/2019 21:01, Dominic Preston wrote:
> >>> Hi,
> >>>
> >>> I have a fresh installation of Ubuntu 18.04 on Google Cloud Platform.
> >>> I have compiled the latest version of dnsmasq with the following
> >>> configuration:
> >>>
> >>> no-resolv
> >>> server=8.8.8.8
> >>> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
> >>> dnssec
> >>>
> >>> I stop systemd-resolved, run dnsmasq and issue the following command:
> >>>
> >>> dig @127.0.0.1 pir.org
> >>>
> >>> After that there's a long pause, and the result comes back with the
> >>> following line at the top of dig:
> >>>
> >>> ;; Truncated, retrying in TCP mode.
> >>>
> >>> dnsmasq log says:
> >>>
> >>> dnsmasq: reducing DNS packet size for nameserver 8.8.8.8 to 1280
> >>>
> >>> If I run this, dig comes back immediately with no pause and no TCP mode:
> >>>
> >>> dig @8.8.8.8 pir.org
> >>>
> >>> Any ideas why the first dig command has problems and the second dig
> >>> command is fine?
> >>>
> >>> Thanks in advance.
> >>>
> >>
> >>
> >> It's likely that the MTU for the path from 8.8.8.8 to you it limited,
> >> and  a reply for one of the queries needed to verify the query is
> >> getting dropped. Hence dnsmasq reduces the packet size to the more
> >> conservative 1280, and the query has to be done over TCP.
> >>
> >> It works fast the second time because the information you're asking for
> >> is cached by dnsmasq.
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >
> > Thanks Simon, that makes sense.
> >
> > Is there a straightforward (non dnsmasq) network command I can run so
> > I can demonstrate this MTU issue to the Google Cloud team?
> >
>
> First step is to turn on --log-queries in dnsmasq and run the query to
> provoke the problem. That should tell you which of the replies in the
> chain-of-trust is oversize.
>
> Simon.
>



Any clues here?

dnsmasq: DNSSEC validation enabled
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] pir.org from 127.0.0.1
dnsmasq: forwarded pir.org to 8.8.8.8
dnsmasq: dnssec-query[DS] org to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 59944, algo 8
dnsmasq: reply . is DNSKEY keytag 20326, algo 8
dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
dnsmasq: dnssec-query[DS] pir.org to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] org to 8.8.8.8
dnsmasq: query[A] pir.org from 127.0.0.1
dnsmasq: dnssec retry to 8.8.8.8
dnsmasq: reducing DNS packet size for nameserver 8.8.8.8 to 1280
dnsmasq: reply pir.org is 97.107.141.235
dnsmasq: query[A] pir.org from 127.0.0.1
dnsmasq: forwarded pir.org to 8.8.8.8
dnsmasq: dnssec-query[DS] pir.org to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] org to 8.8.8.8
dnsmasq: reply org is DNSKEY keytag 47612, algo 7
dnsmasq: reply org is DNSKEY keytag 44078, algo 7
dnsmasq: reply org is DNSKEY keytag 9795, algo 7
dnsmasq: reply org is DNSKEY keytag 17883, algo 7
dnsmasq: reply pir.org is DS keytag 54135, algo 5, digest 1
dnsmasq: reply pir.org is DS keytag 54135, algo 5, digest 2
dnsmasq: dnssec-query[DNSKEY] pir.org to 8.8.8.8
dnsmasq: reply pir.org is DNSKEY keytag 29907, algo 5
dnsmasq: reply pir.org is DNSKEY keytag 54135, algo 5
dnsmasq: validation result is SECURE
dnsmasq: reply pir.org is 97.107.141.235



More information about the Dnsmasq-discuss mailing list