Re: force nameserver(bind) information exchanges with clients via tcp only

Hello Petr, This setup was not meant to address a specific problem or be implemented in a production situation. I am running an experiment and one of the criteria was for clients to connect with us via tcp only. I don't have control on the clients (only nameserver) and relying on whether

RE: Broken trust chain presumably due to some zone operators using LetsEncrypt certificates

Ondřej Surý said: > Hi Richard, > this is not the case. > slack.com botched their DS/DNSKEY deployment (there’s a thread on > dns-operations about it). Thanks for the correction, my mistake. Apologies for the list spam! Richard. ___ Please visit

Re: Broken trust chain presumably due to some zone operators using LetsEncrypt certificates

Hi Richard, this is not the case. slack.com botched their DS/DNSKEY deployment (there’s a thread on dns-operations about it). Ondrej -- Ondřej Surý (He/Him) ond...@isc.org > On 1. 10. 2021, at 18:46, Richard T.A. Neal wrote: > > For those of you facing a curious issue with BIND failing to

Re: force nameserver(bind) information exchanges with clients via tcp only

I should be clearer about this. The media devices send a lot of traffic. They manipulate the wifi landscape in proprietary (remember the TCP throughput wars 20+ years ago?) or at least unexpected ways. Stupid wifi access point follows "conventional wisdom" and drops UDP traffic. Doesn't

Broken trust chain presumably due to some zone operators using LetsEncrypt certificates

For those of you facing a curious issue with BIND failing to resolve records for some zones today it’s not necessarily BIND having “a Friday moment”  It looks like the LetsEncrypt root certificate expiry is even impacting some DNSSEC zones that have used a LetsEncrypt certificate to sign their

Re: force nameserver(bind) information exchanges with clients via tcp only

Exactly! On Thu, 30 Sep 2021, Carl Byington wrote: On Thu, 2021-09-30 at 16:30 -0700, Fred Morris wrote: https://github.com/m3047/tcp_only_forwarder So what exactly are the media devices doing to screw up dns resolution between the osx laptop and the local dns server? Dropping UDP

Re: Recursion setting for bind9

Hi Sonal, I do not think forwarders specified in zone work as fixed order. It would not work by first contacting 127.0.0.1, if that did not deliver the answer, try 199.165.24.21. Forwarders in bind are configured as a set, not ordered list. It would use whatever just gives faster replies. I am

Re: force nameserver(bind) information exchanges with clients via tcp only

Hi Donika, I think it can be partially archieved by options use-vc in /etc/resolv.conf on end clients. But I doubt every software would process this flag, only part of them would use it. I doubt many daemons doing direct DNS queries would follow such configuration. Can you share why you are even