On 21/06/11 11:36, Daisuke HIGASHI wrote: > Hi, Wouter. Thanks to reply. > > 2011/6/20 W.C.A. Wijngaards<wouter at nlnetlabs.nl>: > >> The reponses for this query, the DNSKEY and the A responses are over 3 >> Kb. You likely have path MTU trouble. Something is wrong with your >> fragments. Perhaps you own firewall is set to stop UDP fragments? > > You are right. -- my firewall (modem) handles fragments incorrectly. > > It seems that my firewall denies all fragments until first fragment > (offset=0) arrives. Most times first fragment from vip.icann.org does > not arrives first at my network. I don't know why but always packets > may be reordered... Older versions of the Linux kernel used to deliberately send fragments in reverse order. There are some (not very compelling) arguments that this is optimal, but it was uncommon so changed in kernel 2.4 IIRC. Regardless, the firewall is of course broken.