Option to turn off EDNS globally?
Lars-Johan Liman
liman at autonomica.se
Thu Sep 20 11:40:54 UTC 2007
atkac at redhat.com:
> Hi all,
> Recently I've got report that syslog is flooded with messages like
> "Too many timeouts resolving $DOMAIN (in $DOMAIN?): disabling
> EDNS". Of course those messages will be easily supressed with
> "edns-disabled" logging option but this not suppress EDNS
> queries. I've created patch which will completely disable EDNS
> (patch adds edns option). Would it be possible include it in main
> source or this is step back?
Adam,
I would argue it is a step back.
I've seen problems with EDNS too, but in my experience the most common
case is a bad firewall that has been instructed to drop DNS packets
that are bigger than 512 bytes.
I believe that particular problem can be worked around using
options {
edns-udp-size 512;
};
I'm less than eager to provide people who have made bad design choices
(e.g. bad firewalls) with work-arounds that will make their systems
even worse and less secure (bad firewall *AND* no EDNS --> e.g., no
DNSSEC).
On the other hand, you may be facing a totally different problem, and
in that case, my comments don't necessarily apply.
Best regards,
/Liman
#----------------------------------------------------------------------
# There are 10 kinds of people in the world. Those who understand
# binary numbers, and those who don't.
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc. ! E-mail: liman at autonomica.se
# Senior Systems Specialist ! HTTP : //www.autonomica.se/
# Autonomica AB, Stockholm ! Voice : +46 8 - 615 85 72
#----------------------------------------------------------------------
More information about the bind-workers
mailing list