Mark, > Named has to deal with multually incompatible senarios. DNSSEC > which requires EDNS and nameservers and firewalls which drop EDNS > requests so named has to turn off EDNS to get answers back. > Occasionally a set of answers will take too long to get back to > named or are lost due to network problems and named will fallback > to issuing plain DNS queries which will of course fail validation > if the zone is secure and you have a trusted path from a trust > anchor to that zone. Named will normally re-issue the queries > and get a answer that can be validated as it tries again to use > EDNS. > > This will happen more often if you have network equipment that is > blocking large DNS responses (>512 or network MTU) but still lets > through EDNS responses. > > If you see this you should also look for congested network paths > and paths with long delays.
We have a root-server instance in our building, and reach most other over excellent lines. So while link issues might account for some of these messages, I don't think it's all of them. Especially as I don't expect the resolver to query for '. SOA' very often. Or is this triggered by each (unsigned) response to a question asking for an unexistent TLD? Is there a way to get bind to tell the entire story by enabling debug is specific categories? Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
