our isp not supports EDNS?

Tue Jun 22 17:59:04 UTC 2010

Thanks Bill.

I'm well aware of dns-oarc tests...
but they are no more than firewall / dns packet size tests.

My idea/concern is what could be wrong/broken (except of DNSSEC), if we
disable eDNS on our servers - I need to carry this idea to my collegue.
My quick test show that disabling edns per "0/0 { edns no;};" doesn't
broke resolving/anything (except of dnssec queries).

On 22.06.2010 / 10:14:36 -0700, Bill Buhlman wrote:
> another example:
>  
> dig +short rs.dns-oarc.net txt
> rst.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> "Tested at 2010-06-22 17:11:44 UTC"
> "169.199.1.1 sent EDNS buffer size 4096"
> "169.199.1.1 DNS reply size limit is at least 3843"
> 
> --- On Tue, 6/22/10, Anatoly Pugachev <mator at team.co.ru> wrote:
> 
> 
> From: Anatoly Pugachev <mator at team.co.ru>
> Subject: Re: our isp not supports EDNS?
> To: "Mark Andrews" <marka at isc.org>
> Cc: "Jeff Pang" <PANGJ at arcor.de>, bind-users at isc.org
> Date: Tuesday, June 22, 2010, 8:58 AM
> 
> 
> 
> Mark,
> 
> please see below...
> 
> On 04.05.2010 / 14:31:25 +1000, Mark Andrews wrote:
> > 
> > In message <y2sf7e964441005031927m7774769ev280156817d8b4d53 at mail.gmail.com>, Je
> > ff Pang writes:
> > > Hello,
> > > 
> > > Following the discussions in the list, I made a test on one of our
> > > servers, which is in an ISP's datacenter.
> > > 
> > > The result is below:
> > > 
> > > $ dig +short rs.dns-oarc.net txt
> > > rst.x476.rs.dns-oarc.net.
> > > rst.x485.x476.rs.dns-oarc.net.
> > > rst.x490.x485.x476.rs.dns-oarc.net.
> > > "218.204.255.72 DNS reply size limit is at least 490"
> > > "218.204.255.72 lacks EDNS, defaults to 512"
> > > "Tested at 2010-05-04 02:23:51 UTC"
> > > 
> > > Does this mean our ISP's filrewall block EDNS query/response?
> > 
> > Maybe / maybe not.  It could just mean that the nameserver itself
> > doesn't support EDNS.
> 
> How bad it is, if providers server doesn't support/make eDNS queries?
> Does eDNS support/usage is for DNSSEC protocol only? I mean, that my
> collegue propose to use the following statement in named.conf:
> 
> server 0.0.0.0/0 {
>         edns no;
> };
> 
> in fix to the broken servers, which are doesn't support eDNS queries, for
> example ns51 / ns52.domaincontrol.com ( which are hosting a lot of domains 
> http://www.statsinfinity.com/ns_parent_zone_info/DOMAINCONTROL.COM and dig
> +bufsize requests to them are ending with a timeout, so it probably just
> firewall'ed for packets more than 512 bytes long). 
> 