Paul Wouters: Re: [dnssec-deployment] DNS cache issue
Adam Tkac
atkac at redhat.com
Fri Nov 23 08:48:02 UTC 2007
On Fri, Nov 23, 2007 at 09:30:21AM +1100, Mark Andrews wrote:
>
> > On Wed, Nov 21, 2007 at 04:33:25PM +0000, Paul Vixie wrote:
> > > is this anything like true? has redhat really extended the named.conf synt
> > ax?
> > >
> >
> > Yes. I'm keeping short patch downstream which adds global edns option.
> > This option was discussed on bind-workers and ISC don't want that
> > option. Our users has problem that log is flooded with
> > "..disabling EDNS.." messages. Of course, EDNS is enabled by default
> > but if anyone has problem with EDNS he will disable it with that
> > option.
> >
> > Adam
>
> The patch is also redundant. You can achieve the same
> effect using server clauses.
Yes but it's quite anoying if you have more servers and you want
disable edns for all of them.
>
> Also the log message is there so that the broken firewall
> will get fixed. Unless you tell people that there is a
> problem, it won't get fixed. This is telling them that
> they have a problem. DNSSSEC really is starting to move
> out of the experimental phase. Getting a clear EDNS path
> is becoming essential.
You're right We discussed that problem here. I should add log message
when someone disable edns.
>
> Soon we are going to have to treat these failures as packet
> loss and not broken firewalls or non-rfc compliant nameservers.
> When that happens we will stop falling back to plain DNS
> on timeout. FORMERR, NOTIMP, SERVFAIL etc. will still trigger
> fallback.
>
> RFC 103[345] has DNS error codes. EDNS queries should always
> be getting a response according to RFC 103[345].
>
> Mark
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
--
Adam Tkac, Red Hat, Inc.
More information about the bind-workers
mailing list