In article <mailman.1592.1383170345.20661.bind-us...@lists.isc.org>, "Samp, Daniel [USA]" <samp_dan...@bah.com> wrote:
> In the past when I've had issues with certain .gov sites (e.g. noaa.gov, > nih.gov, ssa.gov) it was due to application based filtering (layer 4). For > some reason the responses from these sites are more often than not fragmented > and if you have something doing filtering based on ports it may not be > delivering the follow-up fragments because they do not have the tcp headers. > Do a tcpdump of your DNS traffic from noaa.gov and check to see if reponses > are being fragmented and whether you are receiving all of the fragments. We > had to set edns-udp-size to 512 as a workaround until we could identify the > problematic piece of hardware. > > Since the only thing you changed was BIND versions, this may have nothing to > do with your issue, but I thought I'd throw it out there. .gov was a relatively early adopted of DNSSEC -- it was mandated for all agencies about 3 years ago, I think. But there were lots of teething pains, which caused frequent outages of some domains. And DNSSEC usually results in large responses, so if your firewall doesn't deal well with EDNS0, you would have problems like that. -- Barry Margolin Arlington, MA _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users