Re: unbound fails to resolve .org domain with DNSSEC

[Anand Buddhdev via Unbound-users]

On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:

Hi Paulo,

> do-tcp: no

Don't disable TCP. TCP is *required* for proper operation of DNS,
especially if you want to do DNSSEC validation. Many of the signed
responses can be large. For example, the DNSKEY response for .ORG is
1625 bytes, and sometimes TCP is required in order to retrieve such
large responses. Disabling TCP can cause DNSSEC validation to fail.

Regards,
Anand