On Apr 29, 2013, at 6:50 AM, bert hubert <[email protected]> wrote:
> If BIND experiences a timeout on a query for a domain, it assumes this might > be because of EDNS0 compatibility issues, and retries without EDNS0. > > BIND does this even for domains for which it wants to do validation. Since > it does not get RRSIGs if it does not use EDNS0, it declares all future > answers bogus. Unbound does not do EDNS0 fallback for domains for which it > has seen a trust anchor or DS. Retrying queries without EDNS0 seems sensible before deployment of DNSSEC. Is that still the case now that DNSSEC is more widely deployed? --Paul Hoffman _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
