Enforce EDNS

[Matus UHLAR - fantomas]

>In message <df501874-ddc1-a864-77b8-1f3646c10a8d at switch.ch>, Daniel Stirnimann writes:
>> Hello all,
>>
>> Our resolver failed to contact an upstream name server as a result of
>> network connectivity issues. named retries eventually worked but as it
>> reverted back to not using EDNS and the answer should have been signed,
>> the query response failed to validate. Subsequent queries towards this
>> upstream name server were not utilizing EDNS as well because named
>> remembers a name servers capabilities for some time (See also
>> https://deepthought.isc.org/article/AA-00510/0)
>>
>> My question is, can I enforce EDNS usage for a name server? I was
>> thinking of the 'edns' clause in the server settings [1]. However, this
>> is already enabled by default and only applies to an "attempt".

On 07.02.17 11:59, Mark Andrews wrote:
>I've also been thinking about no longer falling back to plain DNS
>on no answer.  False positives on not supporting EDNS impact on
>DNSSEC resolution.  Most firewalls now pass EDNS and most of the
>old Microsoft servers that don't answer a second EDNS request are
>gone.  Any remaining servers would then need to be handled via
>server ... { edns no; };
>
>Unfortunately we then need to decide what to do with servers that
>don't answer EDNS + DNS COOKIE queries.  Currently we fall back to
>plain DNS which works except when there is a signed zone involved
>and the server is validating.

fall back for how long? maybe for the same random time as RTT measurements
are done - remember for a while, but retry with edns on after.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*