Looks like the future of the DNSSEC make work project includes resolution failures here and there. More security - less stability - guaranteed slavery. I wounder if it's a fair trade.
we'll see .. regards joe baptista On Thu, Apr 22, 2010 at 10:52 AM, Chris Thompson <c...@cam.ac.uk> wrote: > On Apr 22 2010, Paul Wouters wrote: > > On Thu, 22 Apr 2010, Timothe Litt wrote: >> >> I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV >>> configured as valdidating resolvers. >>> >>> Using dig, I get a connection timeout error after a long (~10 sec) delay. >>> +cdflag provides an immediate response. >>> >> >> Is anyone else seeing this? Ideas on how to troubleshoot? >>> >> >> I have the same problems with our validating unbound instance. >> > > I suspect that this has to do with > > dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov. > dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov. > > failing with timeouts, while dig +dnssec +norec +vc dnskey uspto.gov @ > dns1.uspto.gov. > dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov. > > work fine ... with a 1736-byte answer. Probably the fragmented > UDP response is getting lost somewhere near the authoritative > servers themselves. > > -- > Chris Thompson > Email: c...@cam.ac.uk > > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
