Content-Disposition: inline Content-Transfer-Encoding: binary References: <8bb8b319-6d25-2d10-f6ad-bc2cffa98507@acm.org> Message-ID: X-RT-Original-Encoding: utf-8 Content-Type: text/plain; charset="utf-8" X-Mailer: MIME-tools 5.508 (Entity 5.508) In-Reply-To: <8bb8b319-6d25-2d10-f6ad-bc2cffa98507@acm.org> X-RT-Interface: Web MIME-Version: 1.0 RT-Send-CC: Content-Length: 891 Part of the issue here is that packet loss can't be treated as packet loss because there are nameservers that don't reliably respond to EDNS queries (old Microsoft Windows servers fall into this category, still out there) and there are firewalls that drop EDNS queries (getting rare these days) or drop EDNS queries with EDNS options present (still plenty of these). To get answers out of these servers, named falls back to plain DNS queries. Unfortunately when we do this and the zone being looked up is signed we don't get DNSSEC records returned. The unsigned answers then fail validation. Requerying usually works. Add to this there are also firewalls that block ICMP packet to big messages so path MTU discovery fails and there are firewalls that block fragmented packets. We try to work out what the remote server supports but it takes a reasonable amount of traffic to do this.