Your MTU is not the point. It's what happens beyond your equipment that may have a bearing. However, as I said, I don't think IP fragmentation will be your problem in this case, so that's a whole other discussion for a different day. pcaps are your friend though. From a packet capture you can see exactly what happened on the wire, rather than speculate.
Cheers, Greg On Fri, 13 May 2022 at 18:00, Philip Prindeville < philipp_s...@redfish-solutions.com> wrote: > My MTU is 1500 bytes, so I don't think that's the problem. > > But UDP can fragment via IP... > > > > On May 13, 2022, at 10:34 AM, Greg Choules < > gregchoules+bindus...@googlemail.com> wrote: > > > > Hi Philip. > > Can you run packet captures? I'm running 9.18.0 (close enough?) in > Docker and just traced what happens going from "dnssec-validation no;" to > "dnssec-validation auto;" It makes a DNSKEY query for "." to one of the > roots. The response size was over 900 bytes, so depending on what UDP > payload size is advertised there might need to be some retrying over TCP. > But you'll only know whether that is happening from a pcap. > > So I'd say.. check EDNS payload size, check what your firewall(s) is/are > prepared to let through, check whether DNS/TCP is allowed at all, check if > something is doing IP fragmentation (though I wouldn't expect this to come > into play with a packet ~1k). > > > > I hope some of that is useful. > > Cheers, Greg > > > > On Fri, 13 May 2022 at 17:07, Philip Prindeville < > philipp_s...@redfish-solutions.com> wrote: > > After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started > seeing a lot of: > > > > > > May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid > signature found > > May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid > signature found > > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving > './NS/IN': 192.203.230.10#53 > > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving > 'net/DS/IN': 8.8.4.4#53 > > May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid > signature found > > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving > 'com/DS/IN': 8.8.4.4#53 > > May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid > signature found > > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving > 'net/DS/IN': 66.232.64.10#53 > > May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid > signature found > > May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving > 'com/DS/IN': 66.232.64.10#53 > > > > > > In my options, I had: > > > > dnssec-validation auto; > > > > But had to turn this off. It had been working. This is a production > firewall/router. > > > > What troubleshooting should I do to fix this? > > > > I had tried: > > > > rndc managed-keys refresh > > rndc managed-keys sync > > > > But don't understand why that would have been necessary unless the root > keys got updated recently. > > > > Scrolling to the very top of the logs I see: > > > > May 12 19:24:04 OpenWrt named[11061]: managed-keys-zone: Unable to fetch > DNSKEY set '.': timed out > > > > Thanks, > > > > -Philip > > > > > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users