-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jamal,
Your trace shows that unbound thinks the connection drops MTU 1500+ packets. Faa.gov uses large keys and has a lot of answers above 1480 - i.e. DNSKEY, NXDOMAIN answers. Thus your trouble likely stems from fragmentation issues. Your server cannot receive UDP DNS responses that are larger than 1480 or so. A simple dig @..faaserver faa.gov DNSKEY +dnssec from the server shows the timeout it produces, likely. The best solution is to fix the path that is dropping UDP fragments. Fix your firewall, upgrade it, change cisco router rules on old equipment. It must be close to your end, because I can get the fragments just fine. This is the best fix, because it allows your server to run better with large responses, and generally cleans up your network. The workaround is edns-buffer-size: 1280 in unbound.conf. A code fix, is in svn trunk development version of unbound. That version should fallback to smaller edns size automatically for you. And there are useful MTU size test sites out there too. Best regards, Wouter On 10/10/2011 04:41 PM, Bouzeryouh, Jamal wrote: > Hi, > > www.faa.gov <http://www.faa.gov>can be resolved using a None DNSSEC to > 2.20.116.95. However, I failed to resolve this domain using a DNSSEC > Unbound-1.4.10 resolver. > The attached trace is the logging of "dig localhost faa.gov" in debug > level 5 (Verbosity). > > Do you have any idea why this domain is not resolvable using DNS SEC? > > Thanks in adv. > > Jamal Bouzeryouh > > System Engineer OPS-Data > T-Mobile Netherlands BV > > > ******************************************************************************** > > > N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke > VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer > > This e-mail and its contents are subject to a DISCLAIMER with important > RESERVATIONS: see http://www.t-mobile.nl/disclaimer > > ******************************************************************************** > > > > > > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOkzdFAAoJEJ9vHC1+BF+NyoUP/izrQib++I/b+yLTLUL2QC4g MIWVIrJEhvL+KJZindEF/PhUfowkoa7EqWqaJAfispr4ILswRUyQdgJGFqP7F7uK 7vKMmuIwsMwLMnt3xYUuL+laVdkL+JS5HMexF7vauq+X8RH/z81bkHUgpcyH8clf 0rttQmETddM/LSSh7LXgDOViIE+fNnRaebKWv6fxMTRhFuiqaZBG1sk3gnwMcQo5 8zoGEbQyj3a7n4wLWwAXBfuuSPqNABdoQfqJOfIRqFQ6kG8ju90edNvD4seT3NDc mMuR186kpQdddc669QUOEdeuE8aRUySPsrb+ru2tdEFjjzFtiHyz/nD9+p454RYA S7whCTPg01wY+KQaoTx1mzR2BJPONwObHTu5w7rPxRUtPJIf/woeYXvrpJPtgTaf DZJbxV7bsunRz2ESXAvu2yKXugWOdUk7YxWDXdn6pZzttdzwW5QNmemE+7wISMzC bl+cpnEH1F1TVHj88qKU32vdYROSBLg7KLuyJTybTeMgpZ10wQljPDlmBjkeYgYt DwL+qDJho5ooe2RAwaFvZuL85L1o9Eu0hVh+Bx5j9vQ1TRnOeInRbNC6ryUxQcJv cgc5c/5jJiRsy6mcGMgKNiQrFCcn37VSP1zoCrNAnCHf1JXM2I3eGANBH7QG/Hlq iesT5a1oi5Akf19smYsG =k+Fa -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
