On 12-05-02 09:29 AM, Mark Andrews wrote: > > > The zones are signed. Possible reason are: > > * a firewall blocking EDNS queries.
This shouldn't be the case. Outgoing traffic from the bind9 server being used here should be completely unfettered. > * using a non DNSSEC enabled forwarder so you don't get signatures. I believe my forwarder (bind9 server) is DNSSEC enabled: options { ... // enable DNSSEC dnssec-enable yes; dnssec-validation yes; // as of 9.7, use "auto" instead // dnssec-lookaside . trust-anchor dlv.isc.org.; dnssec-lookaside auto; }; > * a firewall blocking fragmented UDP and named falling back to > plain DNS. Again, the firewall should be allowing bind9 to do whatever it wants. > * other packet loss causing named to fallback to plain DNS. I'm not seeing any evidence of that here otherwise. Can you prescribe any tests that I can do to [dis-]prove any of the above theories? Cheers and much thanks, b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users