On Jul 8, 2020, at 12:31 PM, Viktor Dukhovni <[email protected]> wrote:
>
> With even more verbose debugging, unbound-host reports a DNSKEY response
> size of 1842 bytes.
Interesting. I just see:
# dig +cd +norecurse +tries=1 +bufsize=2000 +dnssec dnskey grantee.fema.gov
@216.81.81.101
; <<>> DiG 9.16.4 <<>> +cd +norecurse +tries +bufsize +dnssec dnskey
grantee.fema.gov @216.81.81.101
;; global options: +cmd
;; connection timed out; no servers could be reached
Never a response when I give it a big enough bufsize…
I wonder what unbound is doing that dig isn’t.
Of course our resolvers only ask for bufsize=1410, get a
TC, ask over TCP and get a response with just the SOA,
which isn’t even a valid denial :(
—
Brian
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
