On Mon, May 2, 2011 at 1:31 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* William Herrin:
On Mon, May 2, 2011 at 1:13 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* William Herrin:
Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512?
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature.
I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
Hmm. You're right. Bind won't disable DNSSEC unless you turn edns off completely with: server 0.0.0.0/0 { edns no; }; Thanks for the info! Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004