Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Mark Andrews Mark_Andrews at isc.org
Fri Nov 23 21:57:33 UTC 2007 

> On Fri, Nov 23, 2007 at 09:30:21AM +1100, Mark Andrews wrote:
> > 
> > > On Wed, Nov 21, 2007 at 04:33:25PM +0000, Paul Vixie wrote:
> > > > is this anything like true?  has redhat really extended the named.conf 
> synt
> > > ax?
> > > > 
> > > 
> > > Yes. I'm keeping short patch downstream which adds global edns option.
> > > This option was discussed on bind-workers and ISC don't want that
> > > option. Our users has problem that log is flooded with
> > > "..disabling EDNS.." messages. Of course, EDNS is enabled by default
> > > but if anyone has problem with EDNS he will disable it with that
> > > option.
> > > 
> > > Adam
> > 
> > 	The patch is also redundant.  You can achieve the same
> > 	effect using server clauses.
> 
> Yes but it's quite anoying if you have more servers and you want
> disable edns for all of them.

	What's so hard about?

	server ::/0 { edns no; };
	server 0.0.0.0/0 { edns no; };

	It's not like there will be many server clauses anyway
	and you can actually add additional server clauses to
	use edns behind the firewall;

		server <internalnet>/mask { edns yes; };
 
> > 	Also the log message is there so that the broken firewall
> > 	will get fixed.  Unless you tell people that there is a
> > 	problem, it won't get fixed.  This is telling them that
> > 	they have a problem.  DNSSSEC really is starting to move
> > 	out of the experimental phase.  Getting a clear EDNS path
> > 	is becoming essential.
> 
> You're right We discussed that problem here. I should add log message
> when someone disable edns.
> 
> > 
> > 	Soon we are going to have to treat these failures as packet
> > 	loss and not broken firewalls or non-rfc compliant nameservers.
> > 	When that happens we will stop falling back to plain DNS
> > 	on timeout.  FORMERR, NOTIMP, SERVFAIL etc. will still trigger
> > 	fallback.
> > 
> > 	RFC 103[345] has DNS error codes.  EDNS queries should always
> > 	be getting a response according to RFC 103[345].
> > 
> > 	Mark
> > 
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
> -- 
> Adam Tkac, Red Hat, Inc.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-workers mailing list