RE: When does BIND send queries with DO flag enabled?

2010-09-30 Thread Taylor, Gord
Subject: Re: When does BIND send queries with DO flag enabled? Can someone explain when BIND sets DO flag and when it won't? Most of my client workstations are XPSP3, and NONE of the queries coming from those clients have DO flag set. The DO bit is part of the EDNS option record, and some servers

RE: When does BIND send queries with DO flag enabled?

2010-09-30 Thread Tony Finch
On Thu, 30 Sep 2010, Taylor, Gord wrote: The business partner has already fixed their firewall (allow_dnssec_bit=1 on CheckPoint) Just in case anyone else is worried about interop problems, I note that allow_dnssec_bit=1 is the default setting. A CheckPoint firewall administrator has to

When does BIND send queries with DO flag enabled?

2010-09-29 Thread Taylor, Gord
We recently ran into an intermittent problem sending queries to a business partner. Turns out they had CheckPoint firewalls with SmartDefense turned of for DNS traffic. This was blocking traffic going to them with DO flag enabled. I could duplicate the problem from a command line by issuing dig

Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Kevin Oberman
Date: Wed, 29 Sep 2010 15:51:55 -0400 From: Taylor, Gord gord.tay...@rbc.com Sender: bind-users-bounces+oberman=es@lists.isc.org We recently ran into an intermittent problem sending queries to a business partner. Turns out they had CheckPoint firewalls with SmartDefense turned of for

Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Kalman Feher
On 29/09/10 10:30 PM, Kevin Oberman ober...@es.net wrote: Date: Wed, 29 Sep 2010 15:51:55 -0400 From: Taylor, Gord gord.tay...@rbc.com Sender: bind-users-bounces+oberman=es@lists.isc.org We recently ran into an intermittent problem sending queries to a business partner. Turns out

Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Evan Hunt
Can someone explain when BIND sets DO flag and when it won't? Most of my client workstations are XPSP3, and NONE of the queries coming from those clients have DO flag set. The DO bit is part of the EDNS option record, and some servers (and more to the point, some firewalls) are broken and