On 27/12/2017 13:18, Bernhard Schmidt wrote:
Thanks for this tip. Looking into it I discovered TCP seems to be recommened for DNSSEC so Ive enabled TCP port 53 and so far not had a problem!Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large packets. You might have an issue with UDP fragments being dropped at your firewall/NAT Gateway?