Re: DNSSEC problems

To: Matthias Scheler <tron%zhadum.org.uk@localhost>
Subject: Re: DNSSEC problems
From: "Jonathan A. Kollasch" <jakllsch%kollasch.net@localhost>
Date: Sun, 23 Jan 2011 01:25:56 +0000

On Sat, Jan 22, 2011 at 08:33:14AM -0600, Jeremy C. Reed wrote:
> On Sat, 22 Jan 2011, Matthias Scheler wrote:
> 
> > Jan 22 09:32:42 colwyn named[9658]:  validating @0x7f7ff6be2000: 
> > dlv.isc.org SOA: got insecure response; parent indicates it should be 
> > secure
> 
> For some reason, a query for dlv.isc.org's SOA got a response that was 
> not signed. Some misconfigured firewalls block DNS on UDP responses over 
> 512 bytes. Some broken firewalls block EDNS. Some nameservers don't 
> respond to EDNS. Some devices may block or drop fragmented responses. 

This includes our version of pf(4).  It drops all(?) IPv6 fragments.

        Jonathan Kollasch

Follow-Ups:
- Re: DNSSEC problems
  - From: der Mouse

References:
- DNSSEC problems
  - From: Matthias Scheler
- Re: DNSSEC problems
  - From: Jeremy C. Reed

Prev by Date: Re: DNSSEC problems
Next by Date: Re: DNSSEC problems
Previous by Thread: Re: DNSSEC problems
Next by Thread: Re: DNSSEC problems
Indexes:

Home | Main Index | Thread Index | Old Index