Option to turn off EDNS globally?

[Paul Vixie]

> > most firewalls don't (can't) hold frag state, so i'm not sure what this
> > means except that for EDNS0 to succeed, a whole lot of firewalls have to be
> > not just reconfigured but redesigned/upgraded.
> 
> Yes this is big problem. But tell to someone: "You have problem with BIND
> and EDNS? Buy new router!"

i wouldn't say that, though.  i'd say "you bought a crappy middlebox and now
the DNS protocol has moved beyond the artificial crappiness of your middlebox
and you'd better oughta gitcherself a new and improved middlebox."

> > > Can we make Bind to not use ENDS by default and only use it when it
> > > receives a truncated (UDP) response to a non-EDNS0 query before trying a
> > > standard TCP query or in configurations with DNSSEC? Nominum CNS is
> > > doing this, and efectivelly improve the performance with authoritative
> > > server that don´t support EDNS.
> 
> Yes, this behavior makes sence.

no, it does not.  the documented and implemented behaviour optimizes for the
desired ending state, and puts the pain exactly where it belongs during the
transition period.

> I don't know how would be EDNS useful without DNSSEC. But if RFC says that
> this is impossible it (means RFC) should be revised before do this change.

if you want to revise EDNS0 so that it's a response to truncation rather than
an optimistic first approach using non-EDNS as a fallback, you'll have to make
that argument in the IETF "namedroppers at ops.ietf.org" working group, not here.