[dnssec-deployment] DNSSEC in Russia
lutz at iks-jena.de
Thu Apr 2 21:10:31 EDT 2009
* Mark Andrews wrote:
> DNSSEC works through routers that drop all fragements with
> no configuration tuning.
> DNSSEC works through routers that drop UDP responses greater
> that 512 octets no configuration tuning.
I personally was not that lucky. I does see timeouts in those cases.
Tuning the resolver to EDNS0 buffer size of 1500/512 bytes helps.
> The only case it won't work through is a router that blocks
> EDNS + DO responses which is the minimum required to support
Of course. It even does not work if the equipment in the path filters out
DNSSEC related records (like some well known open resolvers).
More information about the Dnssec-deployment