Forum Index | Search | Register (New User) | Login (Existing User) | Who's Online | FAQ | Main Site

General Discussion
  >> General Broadband Chatter Previous thread View all threads Next thread


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | (show all)   Print Thread
Standard User candlerb
(knowledge is power) Thu 14-Sep-23 08:36:33
Print Post

Re: gov.uk &dnssec


[re: Oliver341] [link to this post] 		 
Regards the dig tests: please can you add "+tcp" to them and repeat. I'm fairly sure that dig will *not* automatically failover from udp to tcp, if it's unable to contact the far end on udp:

Text
1
23
4
+[no]tcp
           Use [do not use] TCP when querying name servers. The default behavior is           to use UDP unless an ixfr=N query is requested, in which case the
           default is TCP. AXFR queries always use TCP.


However it will switch from udp to tcp if it gets a "truncation" response from the nameserver in a udp response.

I'd say most likely your problem is either MTU or lack of EDNS0 support.

What router/firewall(s) do you have been yourself and the Internet? There are broken devices out there which don't handle large packets and/or EDNS0.

Since the various DNS Flag Days, workaround for these broken devices have been removed. Overall these help the performance and stability of DNS, but obviously if you have a broken device it needs to be fixed.
Standard User Moto
(fountain of knowledge) Thu 14-Sep-23 10:30:20
Print Post

Re: gov.uk &dnssec


[re: candlerb] [link to this post] 		 
I was using +tcp.
I was previously using a Virgin Media router in modem mode with a pc running OPNsense. I did not appear to have this problem.
Virgin changed my package and sent me a new router - a hub 5 made by Sagemcom. I retired my OPNsense server when one interface died and use the Hub 5 in router mode. I have ended up on a totally different IP address from Virgin and it was at this time I noticed my problem.
I originally discovered a similar problem with .tv domains but that now works. I have a problem also with www.infoblox.com https://dnsviz.net/d/www.infoblox.com/dnssec/ shows errors for me.

laugh A friend surfing in laugh
Standard User Oliver341
(eat-sleep-adslguide) Thu 14-Sep-23 11:07:16
Print Post

Re: gov.uk &dnssec


[re: Moto] [link to this post] 		 
For better or worse, DNSSEC isn't currently something I have to deal with as the AWS VPC internal DNS server I'm using doesn't support it. That said, given the likes of Google and Microsoft are yet to sign their answers, I don't feel that ashamed for not using it.

Oliver.


Register (or login) on our website and you will not see this ad.

Standard User Moto
(fountain of knowledge) Sat 16-Sep-23 12:52:19
Print Post

Re: gov.uk &dnssec


[re: Moto] [link to this post] 		 
It is now working after putting Virgin's router into modem mode and using a router I flashed with openwrt. This has put my IP in a different address range so the problem was either Virgin's router or Virgin's routing.

laugh A friend surfing in laugh
Pages in this thread: 1 | [2] | (show all)   Print Thread

Previous thread View all threads Next thread
Jump to