Le 29/12/2017 à 18:27, Andrew W a écrit :
On 27/12/2017 13:18, Bernhard Schmidt wrote:
Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large
packets. You might have an issue with UDP fragments being dropped at
your firewall/NAT Gateway?
Thanks for this tip. Looking into it I discovered TCP seems to be
recommened for DNSSEC so Ive enabled TCP port 53 and so far not had a
problem!
AFAIK TCP is just a fall-back transport to work around UDP packet size
issues. Compared to UDP, TCP transport for DNS wastes system and network
resources.
