On 15/05/12 13:22, Brian J. Murrell wrote:
On 12-05-02 09:29 AM, Mark Andrews wrote:
* a firewall blocking EDNS queries.
* using a non DNSSEC enabled forwarder so you don't get signatures.
* a firewall blocking fragmented UDP and named falling back to
plain DNS.
* other packet loss causing named to fallback to plain DNS.
Given that I have confirmed EDNS works with:
dig edns-v4-ok.isc.org TXT
dig edns-v6-ok.isc.org TXT
and that I don't have a firewall that would/should be dropping
(properly) fragmented UDP[1] and I have no other indications of packet
loss, are we looking at a bug in BIND9 to explain this (mis-)behavior?
Isn't it more likely it's a local problem?
Which version of bind are you running? Does *any* zone validate e.g. try:
dig +dnssec @localhost www.ic.ac.uk
...and you should see:
; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18199
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 11
Note the "ad" flag - "authenticated data".
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users