Re: DNSsec from domailcontrol.com

[Mark Andrews <marka () isc org>]

In message <AANLkTimcXZhuaI9nzOUHRM5fYGb73xRvVU2fy4JOZPRY () mail gmail com>, MKS 
writes:
> Hi
>
> We (a small ISP in the middle of nowhere) are having problems
> resolving DNSsec records from godaddy.
>
> This commands works just fine
> # dig @ns52.domaincontrol.com loomus.com
>
> but this doesn't
> # dig @ns52.domaincontrol.com +dnssec loomus.com
> We don't receive the reply to the query.
>
> and no, this isn't a packet size issue, the reply for the second
> command is 124bytes, and the host isn't behind a firewall.
>
> So the same commands work just fine outside our network, and we are
> only having problems with nsxx.domailcontrol.com
> As far as I can see, when enabling +dnssec the EDNS option is
> activated and this is added in the dns querty "OPT UDPsize=4096 OK"
>
> I have also tried
> # dig @ns52.domaincontrol.com +dnssec +bufsize=512 loomus.com
> without any success.
>
>
> Does someone have any brilliant suggestions?
> Please contact me on or off list
>
> Regards
> MKS

The server isn't even EDNS aware.  I suspect your firewall doesn't
like a plain DNS response to a EDNS query.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org