DNS lookup failing
Tuomo Soini
tis at foobar.fi
Thu Mar 21 09:56:46 UTC 2024
On Thu, 21 Mar 2024 09:40:10 +0000
Nick Howitt via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> I've done a bit more digging. With tcpdump, I can see the request
> coming from ClearOS into Unbound, going out onto the internet and
> returning with a valid answer to Unbound, but this answer does not
> then get back from Unbound to ClearOS.
Your domainkey is too big to fit into udp response. That means
there will be empty udp response with TC bit set on (requesting change
to TCP dns) new request should happen again with TCP.
Make sure tcp dns traffic is allowed for this to work. TCP dns is
really required nowadays. So if you have tooling which doesn't work
with tcp dns, that just means you need to upgrade.
Generally your dkim key can't be that big to work reliably. rsa
sha256 2048 bit key still fit to udp.
I strongly suggest against using nslookup as diagnostic tool, please
use dig.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Unbound-users
mailing list