Thanks david, This the response i get dig +short rs.dns-oarc.net txt @<forwarderip> rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. "50.16.87.189 sent EDNS buffer size 4096" "50.16.87.189 DNS reply size limit is at least 3843 bytes"
On Fri, Aug 2, 2013 at 11:11 AM, David Newman <dnew...@networktest.com>wrote: > On 8/1/13 10:19 PM, rams wrote: > > > I have 9.7 bind installed and configured recursive. When i query > > against forwader i am not getting AD flag but remaining answer is > > correct for signed query. Could you please guide me how to get AD flag. > > Already i have enabled dnssec-validation and dnssec-enabled. > > It's possible your forwarder has a bug that doesn't return DNSSEC > responses (this is the case with one of our registrars' secondaries), or > there may be a network problem. > > Try the dns-oarc reply size test against your forwarder: > > https://www.dns-oarc.net/oarc/services/replysizetest > > $ dig +short rs.dns-oarc.net txt @address_of_your_forwarder > > DNSSEC nameservers should not truncate or fragment responses, and should > support EDNS and UDP and TCP responses. Fix any problems here first > before doing DNSSEC debugging. > > You might also try querying other nameservers (e.g., Google's at > 8.8.8.8) and check the flags there. > > dn > > > > > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users