I can demonstrate that there's a problem here, independent of dnsmasq
srk@holly:~$ dig @2001:4860:4860::8888 dnskey org +dnssec ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @2001:4860:4860::8888 dnskey org +dnssec ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached Doing the same, but sending to 8.8.8.8, works. With the number of dnskeys in .org generating an answer bigger than the PMTU, it all fails. The only thing dnsmasq can do is set the EDNS packet max value to that which must be supported by all implementations, which is 576 for IPv4 and 1280 for IPv6. Or the lower of those two when the query may be forwarded over both IPv4 and IPv6. Maybe 1280 is OK, since IPv4 fragmentation (normally) works, whilst IPv6 sender-based fragmentation seems to be terminally broken, at least for UDP. Either way, having four DNSKEYS in .org looks like a bad decision. Simon. _______________________________________________ Dnsmasq-discuss mailing list [email protected] http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
