Resolving .gov w/dnssec
Barry Margolin
barmar at alum.mit.edu
Fri Apr 23 03:16:38 UTC 2010
In article <mailman.1238.1271957025.21153.bind-users at lists.isc.org>,
Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 22 Apr 2010, Chris Thompson wrote:
>
> >> I have the same problems with our validating unbound instance.
> >
> > I suspect that this has to do with
> >
> > dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
> > dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.
> >
> > failing with timeouts, while dig +dnssec +norec +vc dnskey uspto.gov
> > @dns1.uspto.gov.
> > dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.
> >
> > work fine ... with a 1736-byte answer. Probably the fragmented
> > UDP response is getting lost somewhere near the authoritative
> > servers themselves.
>
> But wouldn't it fall back to TCP then?
TCP fallback occurs when the server sets the Truncate flag in the
response, because it can't fit the answer in the datagram. But if the
response is lost because something is blocking part of it, that just
looks like a timeout.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list