In message <a9981203-ca2a-4ba2-b95b-08d992178...@mellmo.com>, seren writes: > > Thanks for your response. I didn't know about the +trace option in dig. = > After some more searching, I believe you are correct about the long = > responses being related. The responses that fail all seem to exceed = > 512-bytes. Why this would happen in multiple locations is a mystery but = > perhaps our firewalls are configured similarly. I'll look into the = > firewall settings on my end, but since there may be other devices out = > there configured similarly I'll need to try and reduce my CNAMES to find = > into a 512-byte response or switch them to A records. > > -seren
Some filewall vendors / operators think that all UDP DNS responses are <= 512 bytes of payload. This has not be the case offically for over a decade now with EDNS, and was never one in practice as there have always been servers that sent larger responses as long as I've been working with DNS, ~20 years now. Some filewall vendors / operators think that TCP DNS is only used for AXFR. This has *never* been the case. One or both of these may be the problem. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users