EDNS

Jim Reid jim at rfc1035.com
Thu Nov 18 20:43:41 UTC 2004 

>>>>> "Jonathan" == Jonathan de Boyne Pollard <J.deBoynePollard at Tesco.NET> writes:

    LK> Is it possible to have a DNS server configured to not
    LK> work with DNS servers that don't support EDNS?

Yes, but that would be very unwise and the administrative complexities
would be overwhelming. Doing this would be as bad as choosing to
configure your name server not to talk to certain DNS implementations.
Which, come to think of it, does have attractions.... :-)

Just leave the name servers to figure out ENDS0 handling for
themselves. For example BIND9 tries EDNS0 by default and reverts to
RFC1035-style queries when it comes across a server that doesn't
understand EDNS0. It also remembers which servers don't understand
EDNS0 and takes care not to send them more ENDS0 queries. BIND9 can
even be configured to always use or not use EDNS0 on a per-server
basis through server{} statements in named.conf.

    Jonathan> I wrote a resolving proxy DNS server that (at one point)
    Jonathan> did exactly that.  Its utility was less than stellar;
    Johathan> since the set of DNS servers that don't support EDNS0
    Johathan> includes (amongst *many* others) the  "com." and "net."
    Jonathan> content DNS servers.  Excluding all such servers renders
    Jonathan> vast swathes of the DNS namespace (including "com.",
    Jonathan> "net.", and everything beneath them) unresolvable at a
    Jonathan> stroke.

Only for anyone using such a poorly conceived piece of software.
RFC2671 is very clear about what a server implementing EDNS0 does when
it encounters a server that doesn't understand EDNS0 and how that
legacy server is expected to respond to an EDNS0 query. If the RFC is
followed, then there's no problem. Apart from broken firewalls, the
presence or absence of EDNS0 has no significant impact on resolving.

    Jonathan> Indeed, given the current lack of EDNS0 support by
    Jonathan> public content DNS servers

What "lack of EDNS0 support"? BIND8 and BIND9 have supported this for
years. These implementations account for around 80% of the world's
installed name servers. Even the (latest version?) Microsoft
implementation supports EDNS0:

% fp ns2.msft.net
fingerprint (ns2.msft.net, 64.4.25.30): Microsoft Windows 2003 
% dig @ns2.msft.net microsoft.com soa +bufsize=4096

; <<>> DiG 9.3.0 <<>> @ns2.msft.net microsoft.com soa +bufsize=4096
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 293
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;microsoft.com.                 IN      SOA

;; ANSWER SECTION:
microsoft.com.          3600    IN      SOA     dns.cp.msft.net. msnhst.microsoft.com. 2004111601 300 600 2419200 3600

;; ADDITIONAL SECTION:
dns.cp.msft.net.        3600    IN      A       207.46.138.10

;; Query time: 206 msec
;; SERVER: 64.4.25.30#53(ns2.msft.net)
;; WHEN: Thu Nov 18 20:06:59 2004
;; MSG SIZE  rcvd: 116

More information about the bind-users mailing list