Algorithm 'When to use EDNS0'?
Mark Andrews
marka at isc.org
Tue Nov 29 21:15:44 UTC 2011
In message <1322573807.4832.44.camel at mje99.posix.co.za>, Mark Elkins writes:
> I'm Running Bind 9.7.3-P3 (Gentoo build)...
>
> When does 'EDNS' get brought into the picture?
> A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) -
> but a dig without '+dnssec' and actually asking for the 'dnskey' records
> for a domain - which is over 512 bytes - does a "Truncated, retrying in
> TCP Mode" on me - even when asking "localhost".
>
> I though that EDNS0 was negotiated or pretty much the default and didn't
> have to be kicked into action???? Is this some sort of safety default
> feature I need to de-activate via named.conf (which has no mention of
> EDNS anything)
>
> I'd honestly never noticed this before...
> --=20
> . . ___. .__ Posix Systems - (South) Africa
> /| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
> / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
Modern nameservers use EDNS by default. They also deal with stupid
firewalls that drop EDNS or DO-1 requests or block the larger replies
and retry on FORMERR/SERVFAIL etc. using plain DNS when talking to
non-EDNS aware nameservers.
Stub resolvers generally do not unless it has been requested or is
required for other functionality like getting DNSSEC records in
responses.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list