Re: DNSSEC problems

[Matthias Scheler <tron%zhadum.org.uk@localhost>]

On 22 Jan 2011, at 14:33, Jeremy C. Reed wrote:
> Some broken firewalls block EDNS. Some nameservers don't 
> respond to EDNS. Some devices may block or drop fragmented responses. 

I hope that none of this is the case in for setup. I've turned off intrusions
detection on the router (Cisco 877W) and my ISP is a strong believer in not
messing about with peoples' IP traffic. I've contact their support and asked
whether they are aware of any DNSSEC problems on that name server.

>> Any idea what is going wrong here? 2001:8b0::2021 is one of the recursive
>> resolves provided by my ISP.
> 
> Maybe test it with
> 
>       dig @2001:8b0::2021 +short rs.dns-oarc.net txt      
> 
> See https://www.dns-oarc.net/oarc/services/replysizetest
> 
> For example, one of my ISP's resolvers results in:
> 
> "68.238.96.37 DNS reply size limit is at least 490"
> "68.238.96.37 lacks EDNS, defaults to 512"

This is what I get:

tron@colwyn:~>host -t txt rs.dns-oarc.net. 2001:8b0::2021
Using domain server:
Name: 2001:8b0::2021
Address: 2001:8b0::2021#53
Aliases: 

rs.dns-oarc.net is an alias for rst.x4091.rs.dns-oarc.net.
rst.x4091.rs.dns-oarc.net is an alias for rst.x4049.x4091.rs.dns-oarc.net.
rst.x4049.x4091.rs.dns-oarc.net is an alias for 
rst.x4055.x4049.x4091.rs.dns-oarc.net.
rst.x4055.x4049.x4091.rs.dns-oarc.net descriptive text 
"2001:8b0:0:53::5a9b:3520 DNS reply size limit is at least 4091"
rst.x4055.x4049.x4091.rs.dns-oarc.net descriptive text 
"2001:8b0:0:53::5a9b:3520 sent EDNS buffer size 4096"
rst.x4055.x4049.x4091.rs.dns-oarc.net descriptive text "Tested at 2011-01-22 
14:42:40 UTC"

        Kind regards

-- 
Matthias Scheler                           http://zhadum.org.uk/