[dns-operations] Dealing with the bizarre - grantee.fema.gov

Brian Somers bsomers at opendns.com
Thu Jul 9 00:07:43 UTC 2020

On Jul 8, 2020, at 12:31 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> With even more verbose debugging, unbound-host reports a DNSKEY response
> size of 1842 bytes.

Interesting.  I just see:

    # dig +cd +norecurse +tries=1 +bufsize=2000 +dnssec dnskey grantee.fema.gov @

    ; <<>> DiG 9.16.4 <<>> +cd +norecurse +tries +bufsize +dnssec dnskey grantee.fema.gov @
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

Never a response when I give it a big enough bufsize…
I wonder what unbound is doing that dig isn’t.

Of course our resolvers only ask for bufsize=1410, get a
TC, ask over TCP and get a response with just the SOA,
which isn’t even a valid denial :(


More information about the dns-operations mailing list