Option to turn off EDNS globally?

Olafur Gudmundsson ogud at ogud.com
Thu Sep 20 13:19:45 UTC 2007


At 09:04 20/09/2007, Dario Aguilar wrote:
>Mark,
>           I understand your point, but in most of cases this middleware is a
>remote firewall or dns server configuration. Can we make Bind to not use
>ENDS by default and only use it when it receives a truncated (UDP) response
>to a non-EDNS0 query before trying a standard TCP query or in configurations
>with DNSSEC? Nominum CNS is doing this, and efectivelly improve the
>performance with authoritative server that don´t support EDNS.
>
>kind regards,
>
>Dario.

This is a REAL BAD idea, ENDS0 is essential for DNS operation, we want it to
be universally deployed, until that happens there are going to be hick ups.

When faced with a badly behaving system, the fix is not to change the well
behaving system (BIND) but to expose the badly behaving one and put pressure
on that vendor to get with the times.

Time-out is the networks way to say something does not work correctly,
allowing people to find the problem component, in this case Bind is
working.

Sorry for the harsh tone of this message but there are TOO many hacks in
Bind already that do non-standard things only to work around badly behaving
systems. While it may provide a short term 
solution for some is does not provide
good long term solution or help other vendors that are doing the right thing.

Middle boxes such as firewalls, load balancers etc should not have a free
lunch on protocol misbehavior, people buying crap 
should suffer and receive complaints, not the 
vendors of standards compliant well behaved systems.

         Olafur



>----- Original Message -----
>From: "Mark Andrews" <Mark_Andrews at isc.org>
>To: "Adam Tkac" <atkac at redhat.com>
>Cc: <bind-workers at isc.org>
>Sent: Thursday, September 20, 2007 9:30 AM
>Subject: Re: Option to turn off EDNS globally?
>
>
>
> > Hi all,
> >
> > Recently I've got report that syslog is flooded with messages like "Too
> > many
> > timeouts resolving $DOMAIN (in $DOMAIN?): disabling EDNS". Of course those
> > me
> > ssages will be easily supressed with "edns-disabled" logging option but
> > this
> > not suppress EDNS queries. I've created patch which will completely
> > disable E
> > DNS (patch adds edns option). Would it be possible include it in main
> > source
> > or this is step back?
> >
> > Adam
>
>It's really a step backwards.  The message is there to alert
>people about problems they have rather than silently work
>around the problem.  With DNSSEC finally seeing initial
>deployments, EDNS has to work.  It's time to fix the broken
>middleware.
>
>Mark
>
>P.S. the same effect is already achievable without making
>edns a view/global option using server clauses.
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-workers mailing list