On 07/20/2017 03:27 PM, Christian Renner wrote: >> http://dnsviz.net/d/bankofsingapore.com/dnssec/ >> it looks rather wild > > Yes, really wild. > Thanks for pointing me to the right direction!
There are several issues with that zone, but you can get it to work with 4.0.x. It doesn't work in the default configuration because we ask for DNSSEC answers while advertising a default payload size of 1680 (edns-outgoing-bufsize). The answer is too large, and the servers rightly respond with the TC bit set, forcing us to retry over TCP. Unfortunately neither of the two server seem to answer over TCP, so we fail. This can be fixed either by disabling DNSSEC processing (dnssec=off) to revert to the 3.x behavior, since the answers are then small enough for our advertised payload size over UDP, or simply by advertising a larger payload size (edns-outgoing-bufsize=4096). Of course the servers should answer over TCP. -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
