Algorithm 'When to use EDNS0'?
Anand Buddhdev
anandb at ripe.net
Tue Nov 29 13:50:43 UTC 2011
On 29/11/2011 14:36, Mark Elkins wrote:
Hi Mark,
> When does 'EDNS' get brought into the picture?
> A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) -
> but a dig without '+dnssec' and actually asking for the 'dnskey' records
> for a domain - which is over 512 bytes - does a "Truncated, retrying in
> TCP Mode" on me - even when asking "localhost".
>
> I though that EDNS0 was negotiated or pretty much the default and didn't
> have to be kicked into action???? Is this some sort of safety default
> feature I need to de-activate via named.conf (which has no mention of
> EDNS anything)
The dig tool does not use ENDS0 by default. A regular, non-dnssec query
will not cause dig to use EDNS0.
If you want dig to use EDNS0, you must use the "+edns=0" option.
However, if you use the "+dnssec" flag, then dig also implicitly turns
on EDNS0.
So in your example, if you ask for DNSKEY records, but do not use either
of the +edns or +dnssec options, then dig will get a truncated response,
and will retry with TCP.
Another confusion is that you're asking about settings in named.conf.
The dig tool does not read that file; that file is read by named. If you
send a query to a resolver without using EDNS0, it just means that the
path between your dig command and the resolver is not using ENDS0. The
resolver may still use ENDS0 to resolve your query, but when it wants to
convey the response to you, it has to send a truncated answer, and dig
then switches to TCP to the resolver (even if you are only talking to
localhost).
Regards,
Anand Buddhdev
RIPE NCC
More information about the bind-users
mailing list