Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV I experience the following issue. When I attempt to resolve www.jobcorps.govI get a SERVFAIL message. The authoritative servers return an RRSIG covering the A RR, but the resolver is unable to validate it because it cannot retrieve the DNSKEYs. The servers are attempting to send packets exceeding their PMTU and they apparently don't accept TCP connections, which means that a resolver can't get a complete response for DNSKEYs.
Despite the server misconfigurations, the delegation from .GOV is insecure, so ultimately the result should return a insecure data, rather than failure. Thoughts? Regards, Casey
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
