Enforce EDNS

Mark Andrews marka at isc.org
Tue Feb 7 00:59:39 UTC 2017 

In message <df501874-ddc1-a864-77b8-1f3646c10a8d at switch.ch>, Daniel Stirnimann writes:
> Hello all,
> 
> Our resolver failed to contact an upstream name server as a result of
> network connectivity issues. named retries eventually worked but as it
> reverted back to not using EDNS and the answer should have been signed,
> the query response failed to validate. Subsequent queries towards this
> upstream name server were not utilizing EDNS as well because named
> remembers a name servers capabilities for some time (See also
> https://deepthought.isc.org/article/AA-00510/0)
> 
> My question is, can I enforce EDNS usage for a name server? I was
> thinking of the 'edns' clause in the server settings [1]. However, this
> is already enabled by default and only applies to an "attempt".

Named doesn't have a switch to force EDNS though I suppose we could
add one to 9.12.  e.g. server ... { edns force; };

I've also been thinking about no longer falling back to plain DNS
on no answer.  False positives on not supporting EDNS impact on
DNSSEC resolution.  Most firewalls now pass EDNS and most of the
old Microsoft servers that don't answer a second EDNS request are
gone.  Any remaining servers would then need to be handled via
server ... { edns no; };

Unfortunately we then need to decide what to do with servers that
don't answer EDNS + DNS COOKIE queries.  Currently we fall back to
plain DNS which works except when there is a signed zone involved
and the server is validating.

I really don't want to add new automatic work arounds for broken
servers but it requires people being willing to accepting that
lookups will fail.  That manual work arounds will now have to
be done. e.g. "server ... { send-cookie no; };"

Servers not answering would EDNS or EDNS + DNS COOKIE would require
operator intervention.

Mark

> Daniel
> 
> [1]
> https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html#server_statement_grammar
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list