success resolving xxx after disabling EDNS
Ondřej Surý
ondrej at isc.org
Wed May 4 12:32:10 UTC 2022
> On 4. 5. 2022, at 14:12, Veronique Lefebure <Veronique.Lefebure at cern.ch> wrote:
>
> Hello,
>
> If we see this on our DNS server logs (BIND 9.11):
>
> 04-May-2022 12:55:37.675 edns-disabled: info: success resolving 'sour.woinsta.com/A' (in 'woinsta.com'?) after disabling EDNS
>
> - are we correct to say that with BIND 9.16, that query wil always fail because EDNS won't be disabled anymore ?
The query will always timeout, but it’s actually not the EDNS that’s
a problem, but DNS Cookies.
> - is there any tuning that needs to be done ?
The nameserver for woinsta.com just needs to adhere to DNS protocol
and not drop DNS queries with unknown EDNS options.
That said, you can selectively disable DNS cookies for the affected
nameserver(s), it’s described in the documentation and (a bit outdated)
KB article: https://kb.isc.org/docs/aa-01387
The main tuning is that people should not write their own DNS server
if they can’t implement it properly, but hey that’s what we have on the
Internet now...
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220504/885ebd71/attachment.sig>
More information about the bind-users
mailing list