We recently ran into an intermittent problem sending queries to a business partner. Turns out they had CheckPoint firewalls with SmartDefense turned of for DNS traffic. This was blocking traffic going to them with DO flag enabled. I could duplicate the problem from a command line by issuing "dig @partner hostname +DNSSEC" and this failed everytime. When querying through the DNS server though using NSLOOKUP on WinXP, the resolution was hit-and-miss. Watching a sniffer trace, sometimes BIND 9.4.1-P1 would send with DO flag enabled, and other times without.
I know this is an older version of BIND, and lots of bugs fixed in newer versions. However, looking at sniffer traces from 9.7.0-P2 shows the same behavior = sometimes DO is set and sometimes not set. Can someone explain when BIND sets DO flag and when it won't? Most of my client workstations are XPSP3, and NONE of the queries coming from those clients have DO flag set. Any help is appreciated... Gord Taylor (CISSP, GCIH, GEEK) _______________________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. _______________________________________________ bind-users mailing list email@example.com https://lists.isc.org/mailman/listinfo/bind-users