Thanks. It took a long time to sort out the root cause because EDNS0 (dig @host record.sample +edns=0) caused no problems, only +dnssec caused failures. The business partner has already fixed their firewall (allow_dnssec_bit=1 on CheckPoint), but I wanted to understand the root cause in order to proactively prevent future problems.
Kalman - thanks I'll check the mailing list history. I did that before posting, but couldn't find the right set of keywords to find the chain you're referencing. Kevin (et.al.) - apologies for the legal notice. It's added at our SMTP gateway, so not something I can control on a per-message basis either. If I could get to my webmail account (also blocked) I'd send from there. Welcome to corporate environments... -----Original Message----- From: Evan Hunt [mailto:e...@isc.org] Sent: 2010, September, 29 7:25 PM To: Taylor, Gord Cc: bind-us...@isc.org Subject: Re: When does BIND send queries with DO flag enabled? > Can someone explain when BIND sets DO flag and when it won't? Most of > my client workstations are XPSP3, and NONE of the queries coming from > those clients have DO flag set. The DO bit is part of the EDNS option record, and some servers (and more to the point, some firewalls) are broken and don't understand EDNS. When BIND doesn't initially get an answer to a query, it retries in different ways, and eventually (on the third try, if I recall correctly) it tries omitting the EDNS option. No EDNS means no DO bit, and I'm pretty sure that's what you're seeing on the trace. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. _______________________________________________ bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users