Hi Mark, Thanks for the pointers , your are spot on!
Doing dig +trace +dnssec www.paypal.com always fail. After some investigation with the network guys, it appear that our upstream firewall are dropping DNS UDP packet larger than 512. Cisco FWSM have this configuration enabled by default : http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/i2.html#wp1565355 Once again thanks for the help! Regards, Rianto Wahyudi > You need to mimic the nameserver more closely and turn on +dnssec. > > dig +trace +dnssec www.paypal.com > > I suspect you have a firewall that is blocking the larger replies +dnssec > produces. Named will work around this by adjustting the queries it makes > but that requires timouts and hence the longer resolution time. > > Mark > > > --===============2929699010037471745==-- > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users