Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Adam Tkac atkac at redhat.com
Fri Nov 23 08:48:02 UTC 2007


On Fri, Nov 23, 2007 at 09:30:21AM +1100, Mark Andrews wrote:
> 
> > On Wed, Nov 21, 2007 at 04:33:25PM +0000, Paul Vixie wrote:
> > > is this anything like true?  has redhat really extended the named.conf synt
> > ax?
> > > 
> > 
> > Yes. I'm keeping short patch downstream which adds global edns option.
> > This option was discussed on bind-workers and ISC don't want that
> > option. Our users has problem that log is flooded with
> > "..disabling EDNS.." messages. Of course, EDNS is enabled by default
> > but if anyone has problem with EDNS he will disable it with that
> > option.
> > 
> > Adam
> 
> 	The patch is also redundant.  You can achieve the same
> 	effect using server clauses.

Yes but it's quite anoying if you have more servers and you want
disable edns for all of them.

> 
> 	Also the log message is there so that the broken firewall
> 	will get fixed.  Unless you tell people that there is a
> 	problem, it won't get fixed.  This is telling them that
> 	they have a problem.  DNSSSEC really is starting to move
> 	out of the experimental phase.  Getting a clear EDNS path
> 	is becoming essential.

You're right We discussed that problem here. I should add log message
when someone disable edns.

> 
> 	Soon we are going to have to treat these failures as packet
> 	loss and not broken firewalls or non-rfc compliant nameservers.
> 	When that happens we will stop falling back to plain DNS
> 	on timeout.  FORMERR, NOTIMP, SERVFAIL etc. will still trigger
> 	fallback.
> 
> 	RFC 103[345] has DNS error codes.  EDNS queries should always
> 	be getting a response according to RFC 103[345].
> 
> 	Mark
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

-- 
Adam Tkac, Red Hat, Inc.


More information about the bind-workers mailing list