[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: DNSSEC problems
On Sat, 22 Jan 2011, Matthias Scheler wrote:
> Jan 22 09:32:42 colwyn named: validating @0x7f7ff6be2000:
> dlv.isc.org SOA: got insecure response; parent indicates it should be
For some reason, a query for dlv.isc.org's SOA got a response that was
not signed. Some misconfigured firewalls block DNS on UDP responses over
512 bytes. Some broken firewalls block EDNS. Some nameservers don't
respond to EDNS. Some devices may block or drop fragmented responses.
Some of these may cause timing problems. After multiple timeouts, it may
use a non-DNSSEC query. Or maybe there was a SERVFAIL from a EDNS query
(due to broken name server) or maybe something in the middle removed the
RRSIG records. Or maybe it was a real attempt of poisoning or the zone
really was temporarily broken (but probably not). (Disclosure: I worked
for the owner of that zone.)
> Any idea what is going wrong here? 2001:8b0::2021 is one of the recursive
> resolves provided by my ISP.
Maybe test it with
dig @2001:8b0::2021 +short rs.dns-oarc.net txt
For example, one of my ISP's resolvers results in:
"188.8.131.52 DNS reply size limit is at least 490"
"184.108.40.206 lacks EDNS, defaults to 512"
(I do not use them!)
Main Index |
Thread Index |