unbound fails to resolve .org domain with DNSSEC
Anand Buddhdev
anandb at ripe.net
Mon Sep 10 20:26:17 UTC 2018
On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:
Hi Paulo,
> do-tcp: no
Don't disable TCP. TCP is *required* for proper operation of DNS,
especially if you want to do DNSSEC validation. Many of the signed
responses can be large. For example, the DNSKEY response for .ORG is
1625 bytes, and sometimes TCP is required in order to retrieve such
large responses. Disabling TCP can cause DNSSEC validation to fail.
Regards,
Anand
More information about the Unbound-users
mailing list