In message <aanlktims2mfbib5lpdpqyarc8ds1gg4db7b2tea=b...@mail.gmail.com>, Rian to Wahyudi writes: > Hi Mark, > > Thanks for your quick response ! > > > Standards Track. > > RFC 2671 Extension Mechanisms for DNS (EDNS0) > > RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requiremen= > ts > > Unfortunately RFC is not considered as good enough ... unless if we > can find an actual proof that can be replicated :( > > I also done some dnssec trace demonstration, and it still not a good > enough reason : > ie : dig www.anyhostname.com +trace +dnssec . > This test always fail and it produce FWSM log entry similar to: > : %FWSM-2-106007: Deny inbound UDP from 198.142.0.51/53 to > 10.0.0.1/64788 due to DNS Response
I also suggest that you ask your firewall people to talk to the CISCO TAC about how to properly configure the firewall for a nameserver that supports EDNS. The defaults are not setup for a nameserver that supports EDNS. If they don't want to do that read what CISCO recommends here: https://supportforums.cisco.com/message/3221565#3221565 > > Informational. > > RFC 4294 IPv6 Node Requirements > > > > http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-rep= > ly-size-issues > > > > > > How about the root servers? > > > >> - Any example of dns record that send packet larger than 512 ? > > > > The root servers. > > > > =A0 =A0 =A0 =A0dig +dnssec dnskey . > > This for some reason .... works without any problem : Well if you ask the root servers .... dig +dnssec dnskey . @a.root-servers.net With just "dig +dnssec dnskey ." you are talking to your own server so are not going through the firewall. You will also notice it took 1/2 a second to get that answer so named did several different attempts in that 1/2 second. > ;; Query time: 547 msec -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users