turning off EDNS0

Joseph Harvell jharvell at dogpad.net
Thu Dec 30 00:06:47 UTC 2004 

Mark:

Thanks for your reply.  I do notice some AAAA queries in my Ethereal 
trace.  I will try the upgrade as you suggested.

I also notice that in several cases, the delay between the time the 
resolver issues the query to the local bind implementation and the time 
the local bind implementation issues the first query (to one of the root 
servers) is 2 seconds.  In another case while bind had many queries 
pending it seemed to wait 6 seconds.  Is bind multithreaded on Linux?

I also notice that Mozilla is making AAAA queries initially instead of A 
queries.  This seems to be slowing things down too.

Mark Andrews wrote:

>>I am running bind version "BIND 9.2.2-P1" and I notice that my query 
>>times are very long.  When I run Ethereal to see why, I see that initial 
>>queries are sending the OPT pseudo RR.  Almost every nameserver out 
>>there responds to this with RCODE "format error" and then bind issues 
>>another query without this extension.
>>    
>>
>
>	Actually the majority of servers out there know about EDNS.
> 
>  
>
>>This is really increasing my relsoving time.  I would really like to 
>>disable this, but apparently I can only do this on a per server basis.
>>    
>>
>
>	The delays caused by EDNS probes are generally not noticable to
>	the end user.
>
>	You are most probably seeing the side effects of the addition of
>	AAAA records for A.GTLD-SERVERS.NET and B.GTLD-SERVERS.NET.  This
>	tickled a bug in BIND 9 (fixed in 9.2.5/9.3.1 out soon).  This also
>	exposed misconfigured firewalls that incorrectly dropped EDNS
>	replies bigger than 512 octets.  The EDNS referral to the COM /
>	NET servers now exceeds 512 octets.
>
>	Upgrade to 9.3.0 and run "named -4" to work around the BIND 9
>	bug.
>
>	Upgrade to 9.3.0 and set "edns-udp-size 512;" in options if you
>	have a broken firewall.  This should be seen as a short term
>	work-around until you get the firewall fixed.
>	
>	You can determine if the firewall is misconfigured if you get
>	a response to the first query and not to the second query.
>
>		dig soa com +norec @a.root-servers.net
>		dig soa com +norec +bufsize=1024 @a.root-servers.net
>
>  
>
>>First, I would like to know how to disable this globally (hopefully 
>>without recompililng).  But something makes me think this is not what I 
>>want to do.  I just can't believe that ISC would release BIND9 
>>configured by default to double resolving times.  Am I doing something 
>>wrong?
>>
>>---
>>Joe Harvell
>>
>>
>>    
>>
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>
>  
>

More information about the bind-users mailing list