[Dnssec-trigger] Help diagnose DNSSEC hostile network
Arne Jørgensen
arne at arnested.dk
Wed Oct 15 05:15:00 UTC 2014
Ralf Jung <post at ralfj.de> writes:
> Hi,
>
>> Recently something changed in the network at my work and now
>> Dnssec-Trigger bails out with "The Network Fails to Support DNSSEC".
>>
>> Dnssec-Trigger still works fine on other networks so it seems obvious
>> that something changed somewhere in the network at work or at my
>> workplaces internet supplier.
>>
>> If I am to report this as a problem I would like to supply them with a
>> more precise description of what they changed and how they could fix it
>> (otherwise the report will most likely be shelved).
>>
>> What should I look for? What is the best way to diagnose such a problem?
>>
>> The probe results contain this info:
> [...]
>
> I am getting similar results in my university wireless network. The
> problem (in my case) seems to be related to the firewall (or something)
> dropping large UDP/DNS packets. The following two commands fail with a
> timeout in that network:
>
> dig @ns.ralfj.de ralfj.de A +dnssec
> dig @8.8.8.8 debian.org DNSKEY +dnssec
>
> The first is a direct query to an authoritative nameserver, the second
> uses Google's recursive resolver. Both return replies larger than 1KiB.
>
> Kind regards
> Ralf
Thank you. UDP packets size appears to be the problem (small DNSSEC
signed packages works fine).
Before I got around to reporting this to internet supplier they changed
something again and it started working again.
Kind regards,
Arne
More information about the dnssec-trigger
mailing list