unbound fails to resolve .org domain with DNSSEC

Anand Buddhdev anandb at ripe.net
Mon Sep 10 20:26:17 UTC 2018


On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:

Hi Paulo,

> do-tcp: no

Don't disable TCP. TCP is *required* for proper operation of DNS,
especially if you want to do DNSSEC validation. Many of the signed
responses can be large. For example, the DNSKEY response for .ORG is
1625 bytes, and sometimes TCP is required in order to retrieve such
large responses. Disabling TCP can cause DNSSEC validation to fail.

Regards,
Anand



More information about the Unbound-users mailing list