DNS

Talk from @mwl at BSDCAN 2022

https://www.youtube.com/watch?v=1n62VZj-CKI

OARC Reply Size Tester

dig +short rs.dns-oarc.net TXT

Host1 - good :)

# dig +short rs.dns-oarc.net TXT
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"45.15.80.80 DNS reply size limit is at least 4090"
"45.15.80.80 sent EDNS buffer size 4096"

Host2 - bad :(

# dig +short rs.dns-oarc.net TXT
rst.x1196.rs.dns-oarc.net.
rst.x1206.x1196.rs.dns-oarc.net.
rst.x1204.x1206.x1196.rs.dns-oarc.net.
"74.63.25.240 DNS reply size limit is at least 1206"
"74.63.25.240 sent EDNS buffer size 1232"

Any Comments ?

sha256: 110b220f93eff767b7e4d488294b00ede4f4509258d0148704b145df79fa9821

https://serverfault.com/questions/142344/how-to-test-dns-glue-record

Check GlueRecords

host:~ $ dig +short ch. NS
c.nic.ch.
a.nic.ch.
h.nic.ch.
f.nic.ch.
g.nic.ch.
b.nic.ch.
e.nic.ch.

host:~ $ dig +norec @a.nic.ch. noflow.ch. NS

; <<>> DiG 9.10.6 <<>> +norec @a.nic.ch. noflow.ch. NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29211
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;noflow.ch. IN  NS

;; AUTHORITY SECTION:
noflow.ch.  3600  IN  NS  ns3.noflow.ch.
noflow.ch.  3600  IN  NS  ns2.noflow.ch.
noflow.ch.  3600  IN  NS  ns1.noflow.ch.

;; ADDITIONAL SECTION:
ns3.noflow.ch.  3600  IN  A 45.32.159.233
ns2.noflow.ch.  3600  IN  A 193.36.36.130
ns1.noflow.ch.  3600  IN  A 45.15.80.202

;; Query time: 12 msec
;; SERVER: 2001:620:0:ff::56#53(2001:620:0:ff::56)
;; WHEN: Wed Aug 26 23:09:52 CEST 2020
;; MSG SIZE  rcvd: 140

you can see, there are three gluerecords with (A) and none with (AAAA). need to talk with my domain hosting provider as i’d like to have AAAA as well …

DNSSEC - OARC Size Tester

OARC Reply Size Tester

Host1 - good :)

Host2 - bad :(

Gluerecords

Check GlueRecords