[140114] in North American Network Operators' Group
Re: trouble with .gov dns?
daemon@ATHENA.MIT.EDU (William Herrin)
Mon May 2 13:48:15 2011
In-Reply-To: <87zkn5t3fo.fsf@mid.deneb.enyo.de>
From: William Herrin <bill@herrin.us>
Date: Mon, 2 May 2011 13:46:59 -0400
To: Florian Weimer <fw@deneb.enyo.de>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, May 2, 2011 at 1:31 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * William Herrin:
>
>> On Mon, May 2, 2011 at 1:13 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>> * William Herrin:
>>>> Anyone else having trouble with .gov DNS failing with edns-udp-size
>>>> set to 512?
>>>
>>> You need an UDP size of at least 1220 for DNSSEC, see RFC 3226,
>>> section 3. =A0A query that advertises a smaller buffer size is
>>> non-compliant. =A0BIND will send such queries, but this is a
>>> controversial feature.
>
>> I have "dnssec-enable no;" in my bind config.
>
> It does not seem to have the intended effect.
Hmm. You're right. Bind won't disable DNSSEC unless you turn edns off
completely with:
server 0.0.0.0/0 {
edns no;
};
Thanks for the info!
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
