[Dnssec-trigger] Help diagnose DNSSEC hostile network

Arne Jørgensen arne at arnested.dk
Wed Oct 15 05:15:00 UTC 2014

Ralf Jung <post at ralfj.de> writes:

> Hi,
>> Recently something changed in the network at my work and now
>> Dnssec-Trigger bails out with "The Network Fails to Support DNSSEC".
>> Dnssec-Trigger still works fine on other networks so it seems obvious
>> that something changed somewhere in the network at work or at my
>> workplaces internet supplier.
>> If I am to report this as a problem I would like to supply them with a
>> more precise description of what they changed and how they could fix it
>> (otherwise the report will most likely be shelved).
>> What should I look for? What is the best way to diagnose such a problem?
>> The probe results contain this info: 
> [...]
> I am getting similar results in my university wireless network. The
> problem (in my case) seems to be related to the firewall (or something)
> dropping large UDP/DNS packets. The following two commands fail with a
> timeout in that network:
> dig @ns.ralfj.de ralfj.de A +dnssec
> dig @ debian.org DNSKEY +dnssec
> The first is a direct query to an authoritative nameserver, the second
> uses Google's recursive resolver. Both return replies larger than 1KiB.
> Kind regards
> Ralf

Thank you. UDP packets size appears to be the problem (small DNSSEC
signed packages works fine).

Before I got around to reporting this to internet supplier they changed
something again and it started working again.

Kind regards,

More information about the dnssec-trigger mailing list