Problems with EDNS0

Mark Andrews marka at isc.org
Tue Jul 21 03:26:15 UTC 2009 

In message <4A64C374.4000708 at serpro.gov.br>, Breno Silveira Soares writes:
> Hi list,
> 
> I have some servers with bind 9.5.0.P2 and one with bind 9.6.1.
> And the servers logs have a lot of messages with "after disabling EDNS" 
> as seen above:
> 
> [...]
> Jul 20 15:31:34 server named[6909]: edns-disabled: info: success 
> resolving 'www.click21.com.br/A' (in 'www.click21.com.br'?) after 
> disabling EDNS
> Jul 20 15:31:39 server named[6909]: edns-disabled: info: success 
> resolving 'smtpgw1.gov.on.ca/A' (in 'smtpgw1.gov.on.ca'?) after 
> disabling EDNS
> Jul 20 15:31:39 server named[6909]: edns-disabled: info: success 
> resolving 'uk-lon-mail2.ipass.com/A' (in 'ipass.COM'?) after reducing 
> the advertised EDNS UDP packet size to 512 octets
> Jul 20 15:31:40 server named[6909]: edns-disabled: info: success 
> resolving 'bic.pt/MX' (in 'bic.pt'?) after disabling EDNS
> Jul 20 15:31:42 server named[6909]: edns-disabled: info: success 
> resolving 'ns1.bic.pt/AAAA' (in 'bic.pt'?) after disabling EDNS
> Jul 20 15:31:42 server named[6909]: edns-disabled: info: success 
> resolving 'ns2.bic.pt/AAAA' (in 'bic.pt'?) after disabling EDNS
> Jul 20 15:31:45 server named[6909]: edns-disabled: info: success 
> resolving 'mail.skystyle.de/A' (in 'skystyle.DE'?) after disabling EDNS
> Jul 20 15:31:45 server named[6909]: edns-disabled: info: success 
> resolving 'skystyle.de/MX' (in 'skystyle.DE'?) after disabling EDNS
> Jul 20 15:31:46 server named[6909]: edns-disabled: info: success 
> resolving 'goodgame.se/MX' (in 'goodgame.SE'?) after disabling EDNS
> Jul 20 15:31:47 server named[6909]: edns-disabled: info: success 
> resolving 'regions.com/MX' (in 'regions.COM'?) after disabling EDNS
> Jul 20 15:31:52 server named[6909]: edns-disabled: info: success 
> resolving 'ns2.regions.com/AAAA' (in 'regions.COM'?) after disabling EDNS
> Jul 20 15:31:53 server named[6909]: edns-disabled: info: success 
> resolving 'ns1.regions.com/AAAA' (in 'regions.COM'?) after disabling EDNS
> Jul 20 15:31:53 server named[6909]: edns-disabled: info: success 
> resolving 'markets.nytimes.wallst.com/A' (in 
> 'markets.nytimes.wallst.COM'?) after disabling EDNS
> Jul 20 15:31:53 server named[6909]: edns-disabled: info: success 
> resolving 'backupmx.nextweb.net/A' (in 'nextweb.net'?) after disabling EDNS
> Jul 20 15:31:54 server named[6909]: edns-disabled: info: success 
> resolving 'delphiproductions.com/MX' (in 'delphiproductions.COM'?) after 
> disabling EDNS
> Jul 20 15:32:04 server named[6909]: edns-disabled: info: success 
> resolving 'portaldosgames.click21.com.br/A' (in 
> 'portaldosgames.click21.com.br'?) after disabling EDNS
> Jul 20 15:32:04 server named[6909]: edns-disabled: info: success 
> resolving 'obaoba.click21.com.br/A' (in 'obaoba.click21.com.br'?) after 
> disabling EDNS
> Jul 20 15:32:04 server named[6909]: edns-disabled: info: success 
> resolving 'bemleve.click21.com.br/A' (in 'bemleve.click21.com.br'?) 
> after disabling EDNS
> Jul 20 15:32:17 server named[6909]: edns-disabled: info: success 
> resolving 'fineprintech.com/MX' (in 'fineprintech.COM'?) after disabling 
> EDNS
> Jul 20 15:32:20 server named[6909]: edns-disabled: info: success 
> resolving 'fotos.click21.com.br/A' (in 'fotos.click21.com.br'?) after 
> disabling EDNS
> Jul 20 15:32:20 server named[6909]: edns-disabled: info: success 
> resolving 'giulianaflores.click21.com.br/A' (in 
> 'giulianaflores.click21.com.br'?) after disabling EDNS
> Jul 20 15:32:27 server named[6909]: edns-disabled: info: success 
> resolving 'mailwebslice.cloudapp.net/A' (in 'cloudapp.net'?) after 
> disabling EDNS
> [...]
> 
> The queries to remote servers that doesn't support EDNS, the time to 
> resolve after disabling ENDS, generally, is over timeout (5 seconds) of 
> clients (resolvers), and the query fail.
> In my infrastructure doesn't have firewall between DNS server and 
> Internet link, so it's support UDP packets > 512 bytes.

You think there isn't a firewall.  There is something in the path
that is blocking responses.  When you find it can you please inform
the manufacture that there produce is broken and you would like it
fixed.  FORMERR is part of the base DNS specification and shouldn't
be filtered.

> Queries to Akamai servers doesn't work with EDNS. To resolve this 
> problem I configure bind with directive "server <IP> { edns no; };", but 
> isn't a good solution.
> From my server, some queries with EDNS works and some doesn't.

The Akamai do respond to EDNS queries.
 
> Anyone has this problem? Look at the tests above:
> -----------------------------------------------------------------------------
> --------------------------------------------------
> *Akamai plain DNS - OK*
> 
> # dig @n0g.akamai.net a961.g.akamai.net
> 
> ; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63022
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;a961.g.akamai.net.             IN      A
> 
> ;; ANSWER SECTION:
> a961.g.akamai.net.      20      IN      A       200.157.208.241
> a961.g.akamai.net.      20      IN      A       200.157.208.240
> 
> ;; Query time: 22 msec
> ;; SERVER: 200.216.69.243#53(200.216.69.243)
> ;; WHEN: Mon Jul 20 15:48:00 2009
> ;; MSG SIZE  rcvd: 67
> 
> -----------------------------------------------------------------------------
> --------------------------------------------------
> *Akamai with EDNS - FAIL
> 
> *# dig @n0g.akamai.net a961.g.akamai.net +bufsize=500
> 
> ; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net +bufsize=500
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> *

Here is what you should be seeing.  It looks like something is
filtering out the FORMERR responses.  Almost all of the above log
messages are for zones where FORMERR is returned.  Responses from
EDNS aware servers are getting back.

B.T.W. you should use 512 not as the buffer size 500.

drugs:dnssec 13:10 {1669} % dig @n0g.akamai.net a961.g.akamai.net +bufsize=512

; <<>> DiG 9.3.6-P1 <<>> @n0g.akamai.net a961.g.akamai.net +bufsize=512
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 52294
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 11 msec
;; SERVER: 60.254.186.21#53(60.254.186.21)
;; WHEN: Tue Jul 21 13:10:50 2009
;; MSG SIZE  rcvd: 12

drugs:dnssec 13:10 {1670} % 

Mark

> *----------------------------------------------------------------------------
> ---------------------------------------------------
> *.BR plain DNS  - OK*
> 
> # dig @a.dns.br br ns +noadditional
> 
> ; <<>> DiG 9.6.1 <<>> @a.dns.br br ns +noadditional
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19236
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 8
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;br.                            IN      NS
> 
> ;; ANSWER SECTION:
> br.                     172800  IN      NS      a.dns.br.
> br.                     172800  IN      NS      b.dns.br.
> br.                     172800  IN      NS      c.dns.br.
> br.                     172800  IN      NS      d.dns.br.
> br.                     172800  IN      NS      e.dns.br.
> br.                     172800  IN      NS      f.dns.br.
> 
> ;; Query time: 28 msec
> ;; SERVER: 200.160.0.10#53(200.160.0.10)
> ;; WHEN: Mon Jul 20 15:55:24 2009
> ;; MSG SIZE  rcvd: 274
> -----------------------------------------------------------------------------
> --------------------------------------------------
> *.BR with EDNS  - OK
> 
> *dig @a.dns.br br ns +noadditional +bufsize=500
> 
> ; <<>> DiG 9.6.1 <<>> @a.dns.br br ns +noadditional +bufsize=500
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59275
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 9
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;br.                            IN      NS
> 
> ;; ANSWER SECTION:
> br.                     172800  IN      NS      a.dns.br.
> br.                     172800  IN      NS      b.dns.br.
> br.                     172800  IN      NS      c.dns.br.
> br.                     172800  IN      NS      d.dns.br.
> br.                     172800  IN      NS      e.dns.br.
> br.                     172800  IN      NS      f.dns.br.
> 
> ;; Query time: 29 msec
> ;; SERVER: 200.160.0.10#53(200.160.0.10)
> ;; WHEN: Mon Jul 20 16:00:57 2009
> ;; MSG SIZE  rcvd: 285
> -----------------------------------------------------------------------------
> --------------------------------------------------
> 
> Thanks in advance,
> 
> -- 
> Ats,
> Breno S. Soares
> Analista de Redes
> SERPRO/SUPRE/REBHE
> Tel: (31) 3311-6825
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list