On Fri, 2009-10-02 at 13:22 +1000, Mark Andrews wrote: > You really want to work out what is being blocked, EDNS?, responses > bigger that 512 bytes? DNSSEC? fragmented responses? With a clean > path all of these should succeed but only the last one won't have > "tc" set. This does a plain DNS query, a EDNS query that limits > the response to 512 bytes, a DNSSEC query that limits the response > to 512 bytes, a DNSSEC query that limits the response to something > that would not normally be fragmented but exceeds 512 bytes, a > DNSSEC query that will normally be fragmented. > > % dig soa se @192.36.133.107 +norec +ignore > % dig soa se @192.36.133.107 +norec +ignore +bufsize=512
The above two work, the below four do not work (connection timed out; no servers could be reached). (note: I replaced se with my domain.tld, and the @ with my server). > % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 > % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec > % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 +dnssec > % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec > > Mark Thanks for the help, but I don't know what this implies, other than nothing dnssec-related with udp works ;) Thanks, -- Nicholas Wheeler Systems Administrator Development Infostructure
signature.asc
Description: This is a digitally signed message part
_______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
