In message <[email protected]>, Piff writes: > Mark, > > more than once you have blamed firewal but I have tested without > firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig +dnssec".
Wrong. The nameserver DO answer these queries. # dig +dnssec @ns33.domaincontrol.com. replacementservices.com. ; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com. replacementservices.com. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41760 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;replacementservices.com. IN A ;; ANSWER SECTION: replacementservices.com. 3600 IN A 72.32.12.235 ;; AUTHORITY SECTION: replacementservices.com. 3600 IN NS ns33.domaincontrol.com. replacementservices.com. 3600 IN NS ns34.domaincontrol.com. ;; Query time: 346 msec ;; SERVER: 216.69.185.17#53(216.69.185.17) ;; WHEN: Wed Jun 23 17:39:43 2010 ;; MSG SIZE rcvd: 109 # Since you are not getting answers then there is a problem between you and the nameservers in question and as just about every one else is getting answers as well this puts the problem close to you. i.e. Your network or your ISP's network. Something on the path is doing DPI tests and is rejecting the response. Do you have a NAT that does DPI? > The real problem is bind. Freshly reloaded bind will do a query with > OPT EDNS0 set and after a timeout retry the query without OPT EDNS0 > but after some time the queries are only with OPT EDNS0 set. Why? Why no > fallback? My machines are running version 9.6-ESV-R1 and 9.4-ESV-R2. It does fallback to plain DNS. > -Sai -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
