Too many timeouts resolving / disabling EDNS messages
Mark Andrews
Mark_Andrews at isc.org
Fri Jan 25 23:22:05 UTC 2008
>
> On Fri, 25 Jan 2008 16:11:19 +0100
> Simon Vallet <svallet at genoscope.cns.fr> wrote:
>
> > Digging a little bit shows that BIND now queries every host using EDNS0,
> > even if dnssec-validation or dnssec-enable is off, which seems overkill.
>
> OK -- digging a little bit more shows that this has actually been
> standard behaviour for some time now. So the better solution is
> probably to disable logging of these messages.
>
> Sorry for the noise,
> Simon
The better solution is to work out if it is a local problem
that is causing the messages and fix it.
The usual causes is a broken or misconfigure firewall / NAT.
* A Firewall that doesn't allow through DNS packets > 512 bytes.
* A Firewall/NAT that doesn't allow IP fragments through.
To workaround either of these set edns-udp-size to a
appropriate value but only do it if you can't fix the
underlying problem.
e.g.
I've got a NAT that can't handle out-of-order IP
fragments so I use "edns-udp-size 1460;" which is
small enough so that a UDP packet will fit in a
Ethernet packet without fragmentation provided no
IP options are set.
"dig +norec +dnssec example.com @a.root-servers.net"
Can be used to test if you firewall supports packets > 512.
"dig +dnssec +norec +ignore dnskey se @A.NS.se"
Can be used to test if IP fragments can get though at all.
I don't have a out-of-order IP fragmentation test.
These messages are rare events with a EDNS clear path.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list