DNSSEC Configuration Issues with UDP Truncation and PMTU on Domain frissly.hu

What is the name of the domain?

frissly.hu

What is the error number?

read below

What is the error message?

When testing DNSSEC with tools like DNSViz, I receive the following errors and warnings related to UDP payload size and PMTU: UDP Packet Size Exceeded: The test results indicate that the DNSKEY response is too large for the UDP packet, resulting in truncation. The specific error message says: “No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.” DNSSEC Packet Size Issues: The DNSKEY record generated by Cloudflare (Algorithm 8, RSA/SHA-256, Key Tag 46162, Digest Type SHA-256) may be contributing to the issue because of its large response size, which seems to be too big for a UDP packet without truncation.

What is the issue you’re encountering

The DNSKEY record generated by Cloudflare (Algorithm 8, RSA/SHA-256, Key Tag 46162, Digest Type SHA-256) may be contributing to the issue because of its large response size, which seems to be too big for a UDP packet without truncation.

What steps have you taken to resolve the issue?

Verified DS Record Accuracy:

I have double-checked that the DS record in Forpsi matches exactly with what Cloudflare provided, including the Key Tag, Algorithm, Digest Type, and Digest.
Temporarily Disabled DNSSEC for Testing:

I tried disabling DNSSEC temporarily in Cloudflare to see if the issues would resolve, and my site became accessible without DNSSEC enabled. However, I would prefer to have DNSSEC enabled for security purposes.
Checked for TCP Fallback:

I understand that some DNS resolvers can retry with TCP if UDP truncates the response, but I’m unsure if this applies here or if I can configure this on my end.

What feature, service or problem is this related to?

DNSSEC

Screenshot of the error

DNSViz seems to be reporting that problem at the root, which is odd. Maybe they have an issue…
https://dnsviz.net/d/frissly.hu/dnssec/

Verisign Labs doesn’t see any problems…

Your domain is resolving OK with DNSSEC so you are ok…
https://cf.sjr.org.uk/tools/check?8caedf2bec0146ca8668f4e273b96566#resolvers

Your site has “too many redirects”, check your SSL/TLS setting is set to “Full (strict)” in your dashboard here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls

2 Likes

Thank you for the guidance on resolving the issue.

Switching the SSL/TLS setting to “Full (strict)” in Cloudflare did indeed resolve the problem, and the site is now functioning as expected.

Thanks again for your assistance and prompt response!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.