Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Mark Andrews Mark_Andrews at isc.org
Thu Nov 22 22:30:21 UTC 2007


> On Wed, Nov 21, 2007 at 04:33:25PM +0000, Paul Vixie wrote:
> > is this anything like true?  has redhat really extended the named.conf synt
> ax?
> > 
> 
> Yes. I'm keeping short patch downstream which adds global edns option.
> This option was discussed on bind-workers and ISC don't want that
> option. Our users has problem that log is flooded with
> "..disabling EDNS.." messages. Of course, EDNS is enabled by default
> but if anyone has problem with EDNS he will disable it with that
> option.
> 
> Adam

	The patch is also redundant.  You can achieve the same
	effect using server clauses.

	Also the log message is there so that the broken firewall
	will get fixed.  Unless you tell people that there is a
	problem, it won't get fixed.  This is telling them that
	they have a problem.  DNSSSEC really is starting to move
	out of the experimental phase.  Getting a clear EDNS path
	is becoming essential.

	Soon we are going to have to treat these failures as packet
	loss and not broken firewalls or non-rfc compliant nameservers.
	When that happens we will stop falling back to plain DNS
	on timeout.  FORMERR, NOTIMP, SERVFAIL etc. will still trigger
	fallback.

	RFC 103[345] has DNS error codes.  EDNS queries should always
	be getting a response according to RFC 103[345].

	Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-workers mailing list