Resolving .gov w/dnssec
Joe Baptista
baptista at publicroot.org
Thu Apr 22 15:07:41 UTC 2010
Looks like the future of the DNSSEC make work project includes resolution
failures here and there. More security - less stability - guaranteed
slavery. I wounder if it's a fair trade.
we'll see ..
regards
joe baptista
On Thu, Apr 22, 2010 at 10:52 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:
> On Apr 22 2010, Paul Wouters wrote:
>
> On Thu, 22 Apr 2010, Timothe Litt wrote:
>>
>> I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
>>> configured as valdidating resolvers.
>>>
>>> Using dig, I get a connection timeout error after a long (~10 sec) delay.
>>> +cdflag provides an immediate response.
>>>
>>
>> Is anyone else seeing this? Ideas on how to troubleshoot?
>>>
>>
>> I have the same problems with our validating unbound instance.
>>
>
> I suspect that this has to do with
>
> dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
> dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.
>
> failing with timeouts, while dig +dnssec +norec +vc dnskey uspto.gov @
> dns1.uspto.gov.
> dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.
>
> work fine ... with a 1736-byte answer. Probably the fragmented
> UDP response is getting lost somewhere near the authoritative
> servers themselves.
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100422/fb5c9192/attachment.html>
More information about the bind-users
mailing list