On Wed, 3 Jun 2009, Kevin Darcy wrote: > Kevin Darcy wrote: > > Since .org was recently DNSSEC-signed > > (http://www.afilias.info/afilias+signs+org+zone), my guess would be that you > > have a firewall, an intrusion-prevention device, or somesuch, that is > > dropping the packets because it doesn't understand the DNSSEC records > > contained in them.
(Ignoring the "never mind" ...) That might be the case. 9.6 has DNSSEC validation enabled by default so the corresponding DNSSEC records and signatures may be sent back regardless if the label requested is signed or not. Such as the NSEC3 (TYPE50) and RRSIGs in the AUTHORITY section. Juan: Please use dig instead. Please try with DNSSEC checking disabled, for example: dig +cd www.mirrorservice.org @10.20.29.22 dig +cd www.madrid.org @10.20.29.22 dig +cd www.wikipedia.org @10.20.29.22 Please look at your BIND logging. (Maybe search for "error".) _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
