= phenomenon =

On some problem networks, as is currently the case with one of my racks in Amsterdam, routers fail to do proper UDP fragmentation and EDNS packet size announcements. This causes DNS packet drops for the DNSKEY RRset for the fedoraproject. domains. As fedoraproject. domains are in DLV, and the stock fedora unbound/bind configs now enable DNSSEC and DLV, hosts in such broken networks will not be able to resolve fedoraproject.* domains.

On a broken network, the following command will fail:

dig +dnssec fedoraproject.org @ns02.fedoraproject.org.

And on those broken networks, the following command will succeed:

dig +dnssec fedoraproject.org @ns02.fedoraproject.org. +bufsize=1220

All 4 fedora nameservers suffer from this issue

= reason =
Broken DNS networking and MTU / packet fragmentation routers - usually outside the control of the endusers running DNS servers.

= recommendation =
Newer bind/nsd naemservers serve zones now with "minimal responses". When done, the DNSKEY RRset fits in a single small UDP packet and even broken DNS networks will be able to properly resolve fedoraproject.* DNS names.

For bind the option name is minimal-responses=
Alternatively, the edns-udp-size= could be set smaller, but that might not fix incoming queries, only outgoing queries.

note: I guess this should be changed on the bind package in general, and not just on the instance on fedoraproject.* nameservers. I've CC:ed Adam, the bind maintainer.