Resolving .gov w/dnssec
Paul Wouters
paul at xelerance.com
Thu Apr 22 17:23:26 UTC 2010
On Thu, 22 Apr 2010, Chris Thompson wrote:
>> I have the same problems with our validating unbound instance.
>
> I suspect that this has to do with
>
> dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
> dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.
>
> failing with timeouts, while dig +dnssec +norec +vc dnskey uspto.gov
> @dns1.uspto.gov.
> dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.
>
> work fine ... with a 1736-byte answer. Probably the fragmented
> UDP response is getting lost somewhere near the authoritative
> servers themselves.
But wouldn't it fall back to TCP then? Also with dig +cd I got an
instant answer, and the (old) cache dump contains the dnskey.
So I don't think that's the full story.
Paul
More information about the bind-users
mailing list