FW: Option to disable EDNS0?

Mark Andrews Mark_Andrews at isc.org
Wed Mar 17 21:43:36 UTC 2004 

> 
> Hi All:
> 
> I am running Bind 9.2.3 on WIn2k and the resolution of external address are
> VERY slow ... local address are fine. From some feedback and some Googling
> it seems to be related to EDNS0.
> 
> How can I disable this option?

	Before asking for it to be disabled you need to be sure
	that it is the problem.

	The vast majority of nameservers on the net speak EDNS.  Of
	those that don't the vast majority do the right thing and
	return a error code which triggers a non-EDNS query.  Named
	remembers which servers don't speak EDNS if FORMERR or
	NOTIMP is returned and uses standard EDNS in future.  SERVFAIL
	is not remembered as it would generate to many false
	positives.

	EDNS problems are usually limited to a *small* number of
	sites or specifc queries.

	* the remote nameserver fails to respond to the query.
	  The remote server is not RFC 103[45] compliant, please
	  inform the remote zone administator.  named will retry
	  without EDNS after a timeout.

	* the answer is blocked by a firewall because it is bigger
	  than 512 octets.  If it is your firewall you should be
	  upgrading it.  If it is a firewall at the remote site you
	  should be informing them they have a problem.  You can
	  disable EDNS to the server using a server clause.  Named
	  will retry the query without EDNS after a timeout.

	The only time where it is a general problem is when you
	have a broken firewall that is blocking all EDNS queries.
	The firewall needs to be upgraded.  Named will retry the
	queries without EDNS.

	The following query can be used to eliminate this case.

	dig soa . +dnssec @a.root-servers.net

; <<>> DiG 9.2.3 <<>> soa . +dnssec @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59172
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	SOA

;; ANSWER SECTION:
.			86400	IN	SOA	A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2004031700 1800 900 604800 86400

;; AUTHORITY SECTION:
.			518400	IN	NS	A.ROOT-SERVERS.NET.
.			518400	IN	NS	H.ROOT-SERVERS.NET.
.			518400	IN	NS	C.ROOT-SERVERS.NET.
.			518400	IN	NS	G.ROOT-SERVERS.NET.
.			518400	IN	NS	F.ROOT-SERVERS.NET.
.			518400	IN	NS	B.ROOT-SERVERS.NET.
.			518400	IN	NS	J.ROOT-SERVERS.NET.
.			518400	IN	NS	K.ROOT-SERVERS.NET.
.			518400	IN	NS	L.ROOT-SERVERS.NET.
.			518400	IN	NS	M.ROOT-SERVERS.NET.
.			518400	IN	NS	I.ROOT-SERVERS.NET.
.			518400	IN	NS	E.ROOT-SERVERS.NET.
.			518400	IN	NS	D.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.	3600000	IN	A	198.41.0.4
H.ROOT-SERVERS.NET.	3600000	IN	A	128.63.2.53
C.ROOT-SERVERS.NET.	3600000	IN	A	192.33.4.12
G.ROOT-SERVERS.NET.	3600000	IN	A	192.112.36.4
F.ROOT-SERVERS.NET.	3600000	IN	A	192.5.5.241
B.ROOT-SERVERS.NET.	3600000	IN	A	192.228.79.201
J.ROOT-SERVERS.NET.	3600000	IN	A	192.58.128.30
K.ROOT-SERVERS.NET.	3600000	IN	A	193.0.14.129
L.ROOT-SERVERS.NET.	3600000	IN	A	198.32.64.12
M.ROOT-SERVERS.NET.	3600000	IN	A	202.12.27.33
I.ROOT-SERVERS.NET.	3600000	IN	A	192.36.148.17
E.ROOT-SERVERS.NET.	3600000	IN	A	192.203.230.10
D.ROOT-SERVERS.NET.	3600000	IN	A	128.8.10.90

;; Query time: 241 msec
;; SERVER: 198.41.0.4#53(a.root-servers.net)
;; WHEN: Thu Mar 18 08:25:11 2004
;; MSG SIZE  rcvd: 504

 
> Best regards
> Imran.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list