NOAA.GOV domain not working

Mark Andrews marka at
Tue Sep 19 01:58:28 UTC 2017

In message <36F8DD297FD5504AA37968ADA5BA93EB01178C20EA at>, "Levesque, Ricky (SNB)" writes:
> Thanks Warren,
> I can query all the name servers without issues, and the replies
> are fast (sub 100ms)

Remember nameservers ask questions with different options set to
DiG's default options.  DiG +trace turns on these additional options
or you can use "dig +dnssec +norec".

We really should make all the root and TLD servers return maximal
EDNS answers (pad to the advertised EDNS UDP size).  This would
create a little short term pain by exposing all the broken firewalls
which would then get fixed or the nameserver would be reconfigured
to advertise a smaller EDNS buffer size.  At the moment we have
people stumbling over the odd zone that returns large responses.
Root and TLD operators do everyone a disservice by trying to reduce
UDP response sizes to fit into a single ethernet frame.  It just
hides the problem cause by bad firewall configuration.

