Paul Wouters: Re: [dnssec-deployment] DNS cache issue
Mark Andrews
Mark_Andrews at isc.org
Thu Nov 22 22:30:21 UTC 2007
> On Wed, Nov 21, 2007 at 04:33:25PM +0000, Paul Vixie wrote:
> > is this anything like true? has redhat really extended the named.conf synt
> ax?
> >
>
> Yes. I'm keeping short patch downstream which adds global edns option.
> This option was discussed on bind-workers and ISC don't want that
> option. Our users has problem that log is flooded with
> "..disabling EDNS.." messages. Of course, EDNS is enabled by default
> but if anyone has problem with EDNS he will disable it with that
> option.
>
> Adam
The patch is also redundant. You can achieve the same
effect using server clauses.
Also the log message is there so that the broken firewall
will get fixed. Unless you tell people that there is a
problem, it won't get fixed. This is telling them that
they have a problem. DNSSSEC really is starting to move
out of the experimental phase. Getting a clear EDNS path
is becoming essential.
Soon we are going to have to treat these failures as packet
loss and not broken firewalls or non-rfc compliant nameservers.
When that happens we will stop falling back to plain DNS
on timeout. FORMERR, NOTIMP, SERVFAIL etc. will still trigger
fallback.
RFC 103[345] has DNS error codes. EDNS queries should always
be getting a response according to RFC 103[345].
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-workers
mailing list