On 06/30/2015 07:01 PM, Paul Wouters wrote: > With that many CNAMEs requiring validation and intermittent failure, my guess is your wifi is dropping a significant amount of queries. It could also be NAT state table overflow. > This is a case where shorter negative cache lifetimes should help a lot. This should come into dnssec-trigger very soon. If it's the state table overflow, this won't help and could make the situation worse. Disabling DNS prefetching in the browser might improve things. So would using TCP. Few consumer NAT devices are optimized for DNS over UDP with active source port randomization. (It's difficult to configure this even with iptables because the relevant tools are undocumented.) Disabling various Unbound hardening options also reduces the number of flows needed. In the end, it could be necessary to perform queries for which a secure answer is expected with a constant source port. -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
