Chris Thompson cet1 at cam.ac.uk
Thu Apr 19 12:59:35 UTC 2012

On Apr 19 2012, Richard Laager wrote:

>Are others timing out trying to resolve www.glb.hud.gov? This seems
>(though I haven't done extensive testing) to only happen to me with
>http://dnsviz.net/d/www.glb.hud.gov/dnssec/ shows a couple of DNSKEY
>warnings, so maybe that's it. I always suspect DNSSEC when I have
>problems with .gov domains, but I commented out "dnssec-enable yes" in
>my named.conf and it didn't help.

There is no DS record in the parent zone, so the zone contents could
not be validated anyway.

The main problem seems to be that the nameservers for glb.hud.gov
never respond to requests for its DNSKEY records (even if EDNS is
turned off in the query). They also don't respond to queries over
TCP about anything.

Specifying "dnssec-enable no" doesn't stop BIND setting the DO bit
on the queries it sends out. However, if validation is off, I am
not sure why it would be bothering to (try to) fetch the DNSKEY

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list