Resolving .gov w/dnssec
Chris Thompson
cet1 at cam.ac.uk
Thu Apr 22 14:52:21 UTC 2010
On Apr 22 2010, Paul Wouters wrote:
>On Thu, 22 Apr 2010, Timothe Litt wrote:
>
>> I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
>> configured as valdidating resolvers.
>>
>> Using dig, I get a connection timeout error after a long (~10 sec) delay.
>> +cdflag provides an immediate response.
>
>> Is anyone else seeing this? Ideas on how to troubleshoot?
>
>I have the same problems with our validating unbound instance.
I suspect that this has to do with
dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.
failing with timeouts, while
dig +dnssec +norec +vc dnskey uspto.gov @dns1.uspto.gov.
dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.
work fine ... with a 1736-byte answer. Probably the fragmented
UDP response is getting lost somewhere near the authoritative
servers themselves.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list