You really want to work out what is being blocked, EDNS?, responses bigger that 512 bytes? DNSSEC? fragmented responses? With a clean path all of these should succeed but only the last one won't have "tc" set. This does a plain DNS query, a EDNS query that limits the response to 512 bytes, a DNSSEC query that limits the response to 512 bytes, a DNSSEC query that limits the response to something that would not normally be fragmented but exceeds 512 bytes, a DNSSEC query that will normally be fragmented.
% dig soa se @192.36.133.107 +norec +ignore % dig soa se @192.36.133.107 +norec +ignore +bufsize=512 % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 +dnssec % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec Named does the following by default. Ensure you have a up to date version of namesd dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec dig dnskey se @192.36.133.107 +norec +ignore Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users