tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DNSSEC problems



On Sat, Jan 22, 2011 at 08:33:14AM -0600, Jeremy C. Reed wrote:
> On Sat, 22 Jan 2011, Matthias Scheler wrote:
> 
> > Jan 22 09:32:42 colwyn named[9658]:  validating @0x7f7ff6be2000: 
> > dlv.isc.org SOA: got insecure response; parent indicates it should be 
> > secure
> 
> For some reason, a query for dlv.isc.org's SOA got a response that was 
> not signed. Some misconfigured firewalls block DNS on UDP responses over 
> 512 bytes. Some broken firewalls block EDNS. Some nameservers don't 
> respond to EDNS. Some devices may block or drop fragmented responses. 

This includes our version of pf(4).  It drops all(?) IPv6 fragments.

        Jonathan Kollasch


Home | Main Index | Thread Index | Old Index