Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Allen Smith easmith at
Fri Nov 23 11:30:45 UTC 2007

In message <200711222318.lAMNIxnf095379 at> (on 23 November
2007 10:18:59 +1100), Mark_Andrews at (Mark Andrews) wrote:
>> > .., and I am pretty sure both networks should not have edns issues.
>> most edns issues are really ip fragmentation issues.  firewalls that allow
>> a certain server to send or receive udp/53 but which don't retain IP ID
>> state to allow matching fragments, tend break edns.  most of the firewalls
>> that do this are software devices running on the same host as the dns
>> server.  fairly often the cure is worse than the disease (allow all frags).
>	Most OS's now have code to deal with fragmentation attacks.
>	I've also found that most responses still fit in a single
>	Ethernet packet.
>		edns-udp-size 1460;  
>	This is from a box which sits behind a nat that doesn't handle
>	out-of-order fragments.

Perhaps, before switching to non-edns, BIND could turn down the
edns-udp-size option itself, and the (much less frequent, please!) log
messages stating it was doing this could suggest doing this manually to
prevent further log messages?


Allen Smith
September 11, 2001		A Day That Shall Live In Infamy II
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin

More information about the bind-workers mailing list