No Response to DNSSEC Requests

Mark Andrews Mark_Andrews at isc.org
Tue Aug 21 23:31:04 UTC 2007


> On Mon, 16 Apr 2007, Mark Andrews wrote:
> 
> > 	It does respond.  I think you should look at your firewall.
> > 	The UDP response will be fragmented (1813 bytes in total).
> 
> Well, my firewall, or some router between me and the Internet, is
> borked, and simply will not return fragmented UDP responses. Now that
> I'm trying to do a key rollover, I'm nailed by this again.
> 
> What can I do to fix this? Is there any way to convince my resolving
> server to use TCP requests for the DNSSEC domains?

	Advertise a EDNS size that is less than ethernet MTU.

		options {
			edns-udp-size 1460;
		};

	I have a NAT box that doesn't handle out of order fragments
	and use the above.

	Upgrade to BIND 9.4 which will fall back to EDN at 512 before
	falling back to plain DNS.

1954.   [func]          Named now falls back to advertising EDNS with a
                        512 byte receive buffer if the initial EDNS queries
                        fail.  [RT #14852]

	The first stops most fragmentation from occuring.  The second
	handles broken firewalls.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list