[Dnssec-trigger] Help diagnose DNSSEC hostile network

Ralf Jung post at ralfj.de
Fri Sep 12 10:05:35 UTC 2014


> Recently something changed in the network at my work and now
> Dnssec-Trigger bails out with "The Network Fails to Support DNSSEC".
> Dnssec-Trigger still works fine on other networks so it seems obvious
> that something changed somewhere in the network at work or at my
> workplaces internet supplier.
> If I am to report this as a problem I would like to supply them with a
> more precise description of what they changed and how they could fix it
> (otherwise the report will most likely be shelved).
> What should I look for? What is the best way to diagnose such a problem?
> The probe results contain this info: 

I am getting similar results in my university wireless network. The
problem (in my case) seems to be related to the firewall (or something)
dropping large UDP/DNS packets. The following two commands fail with a
timeout in that network:

dig @ns.ralfj.de ralfj.de A +dnssec
dig @ debian.org DNSKEY +dnssec

The first is a direct query to an authoritative nameserver, the second
uses Google's recursive resolver. Both return replies larger than 1KiB.

Kind regards

More information about the dnssec-trigger mailing list