<<<
Chronological Index
>>> <<<
Thread Index
>>>
[ga] Re: Resolving .gov w/dnssec
- To: cet1@xxxxxxxxx, "ga@xxxxxxxxxxxxxx >> GA" <ga@xxxxxxxxxxxxxx>
- Subject: [ga] Re: Resolving .gov w/dnssec
- From: Joe Baptista <baptista@xxxxxxxxxxxxxx>
- Date: Thu, 22 Apr 2010 11:07:41 -0400
Looks like the future of the DNSSEC make work project includes resolution
failures here and there. More security - less stability - guaranteed
slavery. I wounder if it's a fair trade.
we'll see ..
regards
joe baptista
On Thu, Apr 22, 2010 at 10:52 AM, Chris Thompson <cet1@xxxxxxxxx> wrote:
> On Apr 22 2010, Paul Wouters wrote:
>
> On Thu, 22 Apr 2010, Timothe Litt wrote:
>>
>> I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
>>> configured as valdidating resolvers.
>>>
>>> Using dig, I get a connection timeout error after a long (~10 sec) delay.
>>> +cdflag provides an immediate response.
>>>
>>
>> Is anyone else seeing this? Ideas on how to troubleshoot?
>>>
>>
>> I have the same problems with our validating unbound instance.
>>
>
> I suspect that this has to do with
>
> dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
> dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.
>
> failing with timeouts, while dig +dnssec +norec +vc dnskey uspto.gov @
> dns1.uspto.gov.
> dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.
>
> work fine ... with a 1736-byte answer. Probably the fragmented
> UDP response is getting lost somewhere near the authoritative
> servers themselves.
>
> --
> Chris Thompson
> Email: cet1@xxxxxxxxx
>
>
> _______________________________________________
> bind-users mailing list
> bind-users@xxxxxxxxxxxxx
> https://lists.isc.org/mailman/listinfo/bind-users
>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|