[Pdns-users] Problems resolving specific domain with pdns_recursor 4

Remi Gacogne remi.gacogne at powerdns.com
Thu Jul 20 13:43:17 UTC 2017

On 07/20/2017 03:27 PM, Christian Renner wrote:
>> http://dnsviz.net/d/bankofsingapore.com/dnssec/
>> it looks rather wild
> Yes, really wild.
> Thanks for pointing me to the right direction!

There are several issues with that zone, but you can get it to work with

It doesn't work in the default configuration because we ask for DNSSEC
answers while advertising a default payload size of 1680
(edns-outgoing-bufsize). The answer is too large, and the servers
rightly respond with the TC bit set, forcing us to retry over TCP.
Unfortunately neither of the two server seem to answer over TCP, so we fail.

This can be fixed either by disabling DNSSEC processing (dnssec=off) to
revert to the 3.x behavior, since the answers are then small enough for
our advertised payload size over UDP, or simply by advertising a larger
payload size (edns-outgoing-bufsize=4096).

Of course the servers should answer over TCP.

Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170720/8d9fed00/attachment.sig>

More information about the Pdns-users mailing list