nanog mailing list archives
Re: trouble with .gov dns?
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 02 May 2011 19:31:07 +0200
* William Herrin:
On Mon, May 2, 2011 at 1:13 PM, Florian Weimer <fw () deneb enyo de> wrote:* William Herrin:Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature.
I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
Were you able to determine from the tcpdump output that DNSSEC was being requested?
[udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=512 OK (40) 11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags "OK" means that DO=1 was set.
Current thread:
- trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Tony Finch (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? David Conrad (May 03)
- Re: trouble with .gov dns? William Herrin (May 03)
- Re: trouble with .gov dns? Florian Weimer (May 03)
- Re: trouble with .gov dns? Edward Lewis (May 03)
- Re: trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)