[140113] in North American Network Operators' Group
Re: trouble with .gov dns?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon May 2 13:31:14 2011
From: Florian Weimer <fw@deneb.enyo.de>
To: William Herrin <bill@herrin.us>
Date: Mon, 02 May 2011 19:31:07 +0200
In-Reply-To: <BANLkTikyAsT4unG12ae0GPd0TfAx0XLcVw@mail.gmail.com> (William
Herrin's message of "Mon, 2 May 2011 13:23:19 -0400")
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* William Herrin:
> On Mon, May 2, 2011 at 1:13 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>> * William Herrin:
>>> Anyone else having trouble with .gov DNS failing with edns-udp-size
>>> set to 512?
>>
>> You need an UDP size of at least 1220 for DNSSEC, see RFC 3226,
>> section 3. =A0A query that advertises a smaller buffer size is
>> non-compliant. =A0BIND will send such queries, but this is a
>> controversial feature.
> I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
> Were you able to determine from the tcpdump output that DNSSEC was
> being requested?
[udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=3D512 OK (40)
11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags
"OK" means that DO=3D1 was set.
