[dnssec-deployment] DNSSEC in Russia
Lutz Donnerhacke
lutz at iks-jena.de
Thu Apr 2 21:10:31 EDT 2009
* Mark Andrews wrote:
> DNSSEC works through routers that drop all fragements with
> no configuration tuning.
> DNSSEC works through routers that drop UDP responses greater
> that 512 octets no configuration tuning.
I personally was not that lucky. I does see timeouts in those cases.
Tuning the resolver to EDNS0 buffer size of 1500/512 bytes helps.
> The only case it won't work through is a router that blocks
> EDNS + DO responses which is the minimum required to support
> DNSSEC.
Of course. It even does not work if the equipment in the path filters out
DNSSEC related records (like some well known open resolvers).
More information about the Dnssec-deployment
mailing list