Too many timeouts resolving / disabling EDNS messages

spaav spaavola at earthlink.net
Sun Mar 9 15:11:02 UTC 2008


On Jan 25, 7:22 pm, Mark Andrews <Mark_Andr... at isc.org> wrote:
> > On Fri, 25 Jan 2008 16:11:19 +0100
> > Simon Vallet <sval... at genoscope.cns.fr> wrote:
>
> > > Digging a little bit shows that BIND now queries every host using EDNS0,
> > > even if dnssec-validation or dnssec-enable is off, which seems overkill.
>
> > OK -- digging a little bit more shows that this has actually been
> > standard behaviour for some time now. So the better solution is
> > probably to disable logging of these messages.
>
> > Sorry for the noise,
> > Simon
>
>         The better solution is to work out if it is a local problem
>         that is causing the messages and fix it.
>
>         The usual causes is a broken or misconfigure firewall / NAT.
>
>         * A Firewall that doesn't allow through DNS packets > 512 bytes.
>         * A Firewall/NAT that doesn't allow IP fragments through.
>
>         To workaround either of these set edns-udp-size to a
>         appropriate value but only do it if you can't fix the
>         underlying problem.
>
>         e.g.
>                 I've got a NAT that can't handle out-of-order IP
>                 fragments so I use "edns-udp-size 1460;" which is
>                 small enough so that a UDP packet will fit in a
>                 Ethernet packet without fragmentation provided no
>                 IP options are set.
>
>         "dig +norec +dnssec example.com @a.root-servers.net"
>
>         Can be used to test if you firewall supports packets > 512.
>
>         "dig +dnssec +norec +ignore dnskey se @A.NS.se"
>
>         Can be used to test if IP fragments can get though at all.
>
>         I don't have a out-of-order IP fragmentation test.
>
>         These messages are rare events with a EDNS clear path.
>
>         Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andr... at isc.org

I've been getting the EDNS timeouts as well using bind 9.5. EDNS
doesn't appear to work at all for me. Thanks for these suggestions
using dig. I'd previously tried to fix my firewall, but these dig
commands indicate my firewall is working ok. Do you have anything else
I could try to resolve my problem?

Steve


More information about the bind-users mailing list