Problems with EDNS0
Breno Silveira Soares
breno.soares at serpro.gov.br
Mon Jul 20 19:20:20 UTC 2009
Hi list,
I have some servers with bind 9.5.0.P2 and one with bind 9.6.1.
And the servers logs have a lot of messages with "after disabling EDNS"
as seen above:
[...]
Jul 20 15:31:34 server named[6909]: edns-disabled: info: success
resolving 'www.click21.com.br/A' (in 'www.click21.com.br'?) after
disabling EDNS
Jul 20 15:31:39 server named[6909]: edns-disabled: info: success
resolving 'smtpgw1.gov.on.ca/A' (in 'smtpgw1.gov.on.ca'?) after
disabling EDNS
Jul 20 15:31:39 server named[6909]: edns-disabled: info: success
resolving 'uk-lon-mail2.ipass.com/A' (in 'ipass.COM'?) after reducing
the advertised EDNS UDP packet size to 512 octets
Jul 20 15:31:40 server named[6909]: edns-disabled: info: success
resolving 'bic.pt/MX' (in 'bic.pt'?) after disabling EDNS
Jul 20 15:31:42 server named[6909]: edns-disabled: info: success
resolving 'ns1.bic.pt/AAAA' (in 'bic.pt'?) after disabling EDNS
Jul 20 15:31:42 server named[6909]: edns-disabled: info: success
resolving 'ns2.bic.pt/AAAA' (in 'bic.pt'?) after disabling EDNS
Jul 20 15:31:45 server named[6909]: edns-disabled: info: success
resolving 'mail.skystyle.de/A' (in 'skystyle.DE'?) after disabling EDNS
Jul 20 15:31:45 server named[6909]: edns-disabled: info: success
resolving 'skystyle.de/MX' (in 'skystyle.DE'?) after disabling EDNS
Jul 20 15:31:46 server named[6909]: edns-disabled: info: success
resolving 'goodgame.se/MX' (in 'goodgame.SE'?) after disabling EDNS
Jul 20 15:31:47 server named[6909]: edns-disabled: info: success
resolving 'regions.com/MX' (in 'regions.COM'?) after disabling EDNS
Jul 20 15:31:52 server named[6909]: edns-disabled: info: success
resolving 'ns2.regions.com/AAAA' (in 'regions.COM'?) after disabling EDNS
Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
resolving 'ns1.regions.com/AAAA' (in 'regions.COM'?) after disabling EDNS
Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
resolving 'markets.nytimes.wallst.com/A' (in
'markets.nytimes.wallst.COM'?) after disabling EDNS
Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
resolving 'backupmx.nextweb.net/A' (in 'nextweb.net'?) after disabling EDNS
Jul 20 15:31:54 server named[6909]: edns-disabled: info: success
resolving 'delphiproductions.com/MX' (in 'delphiproductions.COM'?) after
disabling EDNS
Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
resolving 'portaldosgames.click21.com.br/A' (in
'portaldosgames.click21.com.br'?) after disabling EDNS
Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
resolving 'obaoba.click21.com.br/A' (in 'obaoba.click21.com.br'?) after
disabling EDNS
Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
resolving 'bemleve.click21.com.br/A' (in 'bemleve.click21.com.br'?)
after disabling EDNS
Jul 20 15:32:17 server named[6909]: edns-disabled: info: success
resolving 'fineprintech.com/MX' (in 'fineprintech.COM'?) after disabling
EDNS
Jul 20 15:32:20 server named[6909]: edns-disabled: info: success
resolving 'fotos.click21.com.br/A' (in 'fotos.click21.com.br'?) after
disabling EDNS
Jul 20 15:32:20 server named[6909]: edns-disabled: info: success
resolving 'giulianaflores.click21.com.br/A' (in
'giulianaflores.click21.com.br'?) after disabling EDNS
Jul 20 15:32:27 server named[6909]: edns-disabled: info: success
resolving 'mailwebslice.cloudapp.net/A' (in 'cloudapp.net'?) after
disabling EDNS
[...]
The queries to remote servers that doesn't support EDNS, the time to
resolve after disabling ENDS, generally, is over timeout (5 seconds) of
clients (resolvers), and the query fail.
In my infrastructure doesn't have firewall between DNS server and
Internet link, so it's support UDP packets > 512 bytes.
Queries to Akamai servers doesn't work with EDNS. To resolve this
problem I configure bind with directive "server <IP> { edns no; };", but
isn't a good solution.
From my server, some queries with EDNS works and some doesn't.
Anyone has this problem? Look at the tests above:
-------------------------------------------------------------------------------------------------------------------------------
*Akamai plain DNS - OK*
# dig @n0g.akamai.net a961.g.akamai.net
; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63022
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;a961.g.akamai.net. IN A
;; ANSWER SECTION:
a961.g.akamai.net. 20 IN A 200.157.208.241
a961.g.akamai.net. 20 IN A 200.157.208.240
;; Query time: 22 msec
;; SERVER: 200.216.69.243#53(200.216.69.243)
;; WHEN: Mon Jul 20 15:48:00 2009
;; MSG SIZE rcvd: 67
-------------------------------------------------------------------------------------------------------------------------------
*Akamai with EDNS - FAIL
*# dig @n0g.akamai.net a961.g.akamai.net +bufsize=500
; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net +bufsize=500
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
*
*-------------------------------------------------------------------------------------------------------------------------------
*.BR plain DNS - OK*
# dig @a.dns.br br ns +noadditional
; <<>> DiG 9.6.1 <<>> @a.dns.br br ns +noadditional
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19236
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 8
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;br. IN NS
;; ANSWER SECTION:
br. 172800 IN NS a.dns.br.
br. 172800 IN NS b.dns.br.
br. 172800 IN NS c.dns.br.
br. 172800 IN NS d.dns.br.
br. 172800 IN NS e.dns.br.
br. 172800 IN NS f.dns.br.
;; Query time: 28 msec
;; SERVER: 200.160.0.10#53(200.160.0.10)
;; WHEN: Mon Jul 20 15:55:24 2009
;; MSG SIZE rcvd: 274
-------------------------------------------------------------------------------------------------------------------------------
*.BR with EDNS - OK
*dig @a.dns.br br ns +noadditional +bufsize=500
; <<>> DiG 9.6.1 <<>> @a.dns.br br ns +noadditional +bufsize=500
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59275
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 9
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;br. IN NS
;; ANSWER SECTION:
br. 172800 IN NS a.dns.br.
br. 172800 IN NS b.dns.br.
br. 172800 IN NS c.dns.br.
br. 172800 IN NS d.dns.br.
br. 172800 IN NS e.dns.br.
br. 172800 IN NS f.dns.br.
;; Query time: 29 msec
;; SERVER: 200.160.0.10#53(200.160.0.10)
;; WHEN: Mon Jul 20 16:00:57 2009
;; MSG SIZE rcvd: 285
-------------------------------------------------------------------------------------------------------------------------------
Thanks in advance,
--
Ats,
Breno S. Soares
Analista de Redes
SERPRO/SUPRE/REBHE
Tel: (31) 3311-6825
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090720/23d3d6d9/attachment.html>
More information about the bind-users
mailing list