The issue with the MX queries for
epd.gov.hk. is that the responses with DNSSEC enabled are quite large, and with the default EDNS0 4096 buffer size that Google Public DNS is currently using, the responses from
ns1.hk.net and
ns2.hk.net are fragmented and the Google Public DNS resolvers never receive them.
;; Query time: 191 msec
;; SERVER: 152.101.179.98#53(152.101.179.98)
;; WHEN: Fri Nov 15 17:21:43 EST 2019
;; MSG SIZE rcvd: 2418
;; connection timed out; no servers could be reached
As part of
DNS Flag Day 2020, recursive resolvers can reduce problems due to blocked UDP DNS fragments by restricting the EDNS0 buffer size to 1232, and authoritative servers can help too, by limiting their response sizes to 1232 even if the client has asked for a larger response.
;; Query time: 202 msec
;; SERVER: 152.101.179.98#53(152.101.179.98)
;; WHEN: Fri Nov 15 17:24:19 EST 2019
;; MSG SIZE rcvd: 1076
While there is currently no configuration for Google Public DNS that would allow us to force all queries to these two name servers to use smaller EDNS0 buffer size, we could mitigate the problem by switching to using TCP for all queries.
Alternately, and more efficiently, it may be possible to configure these two name servers to limit their responses to 1232 bytes (this can usually be done by just omitting optional records from the Additional section).
https://dnsflagday.net/2020/#how-to-test has instructions for some popular open source DNS authoritative name servers (listed below), and if the operators of the ns[12].
hk.net name servers can apply one of these, it would solve the problem.
BINDoptions {
max-udp-size 1232;
};
Knot DNSserver:
max-udp-payload: 1232
PowerDNS Authoritativeudp-truncation-threshold=1232
NSDserver:
ipv4-edns-size: 1232
ipv6-edns-size: 1232