options { edns-udp-size 1460; };This has the side-effect of causing TCP retries on large packets, which are often the DNSKEY responses. However, it also causes DNSSEC to work, so overall it's a good thing.
Friday, March 27, 2009
DNSSEC vs Firewall
A very common cause for DNSSEC validation failure under BIND 9 is firewall issues. Specifically, a firewall that blocks fragments.
To work around this, limiting the packet size one is willing to accept so to avoid fragmentation is a good, but temporary, solution.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment