Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Paul Vixie Paul_Vixie at isc.org
Thu Nov 22 19:46:29 UTC 2007


> .., and I am pretty sure both networks should not have edns issues.

most edns issues are really ip fragmentation issues.  firewalls that allow
a certain server to send or receive udp/53 but which don't retain IP ID
state to allow matching fragments, tend break edns.  most of the firewalls
that do this are software devices running on the same host as the dns
server.  fairly often the cure is worse than the disease (allow all frags).


More information about the bind-workers mailing list