-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28.01.2015 20:38, Matthew Seaman wrote:
> What do you get if you run the reply size test at DNS-OARC ? > > https://www.dns-oarc.net/oarc/services/replysizetest 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net." on 9.3. Looks like "IP Fragments Filtered", but I don't understand — why and where?! I'm using ipfw on both hosts, but I don't have any special rules about IP fragments at all! And as these systems are in completely different networks, with different uplinks and FreeBSD versions! > This should help you eliminate restrictions on the size of DNS > responses, rather than it being a DNSSEC specific problem. Yes, it is EDNS more-than-one-UDP-dataggram problem, not DNSSEC-specific one. > If you're on 10.x or above, try enabling local_unbound -- beware > that there's a bug that prevents resolution of RFC1918 and other > special IP ranges on 10.0, fixed in 10.1. Using a local unbound as > a forwarder should give you the ability to tweak exactly how it > talks to your upstream DNSes so that the answers get through more > reliably. Unfortunately, I need recursive resolver for my network and authoritative server (with views!) on one host. unbound could not do that, so I'm using bind from ports on CURRENT. - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUySIiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePUt4P/3Ubd77zLlazBQ8ZiQ/hS/O6 Y/t8lAMmRW2OiNO4FU0EuakSj3WxvEITTjVcX46o/K7ZBYGxa6r5Zq5OWw1rVlii KfDesQQHZzCV9WyJI4bp84FyaxFlKzEsBVTbVU8YNvKrBtJqhfL7iGr1aM5Xgvag j6KffsfVkozC8c/WKLHDKriFbR9NzTO1t1DWcWymS3a2PT/Ih1USycb+bZ+xDqFB TXICX0+OZ9h956RP2gGsSdpEvJAP5OTW+daoaDfvHjTdrx77SyfAxHQop7ROEy7n 5blMTVMHBs1iK/hfAfuiXkCAVpAssqOrLEk5mb+SdX5OgwOR79kshE/hyYeN28gg wUjX6FuAnb8HRvv4HNGqe82ptevammeWUSYrFuM2xzQqdfJOElTF3VDfk6FN+iT5 yCdVv2Oqsg6ZPB2dosWK5aWMUeVn5BYdwWD6Z3jrRFGONJ3V1pS17TpLL/bEd4Ta u8A/tIbCLvfzNSrmrs4iXCRRfx1wDpFE+cvL5PXTlS3A8qf4Nm2EgOgv92Oz9862 0TJ/WvxvXn6QdSMXDvgMmk2DhclU3/L7aJy/of4QR1zwdJFwjuQSuhCjek/w1vw0 9wB8mjnVu0kIXa9z1FigI0X2fYF9rIB6YLca0N3SsGydm5p6zHFqIXNcYwTjHUg+ WOu4W9yfm0X10XHI3VdV =+8Zi -----END PGP SIGNATURE----- _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"