On Wed, Dec 11, 2019 at 12:54:23AM +0100, Marco d'Itri wrote: > Control: forwarded -1 https://gitlab.isc.org/isc-projects/bind9/issues/1483 > > On Nov 24, Ondřej Surý <ond...@sury.org> wrote: > > > could you please fill an upstream issue? > Done. > > I will also add that I have found a workaround: sending SIGSTOP to named > before suspend and SIGCONT a few seconds after resume.
Upstream recommended this: ---snip--- This will almost certainly be the result of packet loss immediately after resume causing named to retry without EDNS (and DO=1) in a attempt to get a response. The subsequent responses fail validation as they do not contain DNSSEC records. This behaviour was done to work around badly configured firewalls that dropped EDNS or EDNS with DO=1 or EDNS with DO=1 and DNS COOKIE options present (different levels of breakage). Falling back to plain DNS on packet loss was changed in post DNS flag day releases and BIND 9.14 does not retry with differing flags on packet loss. I would recommend upgrading to BIND 9.14. ---snip--- Since we finally have 9.15 in experimental, could you please try this and give feedback? Thanks, Bernhard
