DNSSEC and EDNS behavior

Taylor, Gord gord.taylor at rbc.com
Thu Oct 20 14:06:58 UTC 2011

We had a similar issue here (although the cause was CheckPoint's
SmartDefence being turned on for a business partner, which prevented
EDNS0 packets). The behaviour is that BIND 9 will attempt EDNS0 3 times,
then fail back to EDNS disabled. It will clear any backlog of queries
FOR THAT SAME NAME, then revert back to using ENDS0.

Gord Taylor (CISSP, GCIH, GEEK) | Senior Network Analyst, Internet
Technologies | Royal Bank of Canada 

-----Original Message-----
From: bind-users-bounces+gord.taylor=rbc.com at lists.isc.org
[mailto:bind-users-bounces+gord.taylor=rbc.com at lists.isc.org] On Behalf
Sent: 2011, October, 20 9:50 AM
To: bind-users at lists.isc.org
Subject: DNSSEC and EDNS behavior


does anybody know, how BIND running as DNS caching resolver makes
decision for disabling EDNS0 OPT query sent to a certain nameserver it
is talking to?

What are the situations (timeouts, FORMERR .. etc)  to mark the server
as unable to speak EDNS0? (add_bad)

How can be server recovered again as EDNS0 capable?

We got a situation when our authoritative nameserver retuned damaged
data and BIND (BIND 9.7.3-P3 on CentOS 6 2.6.32-71.29.1.el6.i686 32bit)
evaluated it as FORMERR.

After that, it talked to our server without EDNS0 even if there was a
EDNS0 OPT included in the previous response..

Only recovery was to flush cache.

Thanks for replies

Milan Leszkow
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org

This email may be privileged and/or confidential, and the
sender does not waive any related rights and obligations.
Any distribution, use or copying of this email or the
information it contains by other than an intended recipient
is unauthorized. If you received this email in error,
please advise the sender (by return email or otherwise)
immediately. You have consented to receive the attached
electronically at the above-noted email address; please retain a
copy of this confirmation for future reference.

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce
pas aux droits et obligations qui s'y rapportent. Toute diffusion,
utilisation ou copie de ce courriel ou des renseignements qu'il
contient par une personne autre que le (les) destinataire(s)
désigné(s) est interdite. Si vous recevez ce courriel par erreur,
veuillez en aviser l’expéditeur immédiatement, par retour de courriel
ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s)
ci-joint(s) par voie électronique à l’adresse courriel indiquée ci-dessus;
veuillez conserver une copie de cette confirmation pour les fins de reference future.

More information about the bind-users mailing list