Thanks. It took a long time to sort out the root cause because EDNS0
(dig @host record.sample +edns=0) caused no problems, only +dnssec
caused failures. The business partner has already fixed their firewall
(allow_dnssec_bit=1 on CheckPoint), but I wanted to understand the root
cause in order to proactively prevent future problems.

Kalman - thanks I'll check the mailing list history. I did that before
posting, but couldn't find the right set of keywords to find the chain
you're referencing.

Kevin ( - apologies for the legal notice. It's added at our SMTP
gateway, so not something I can control on a per-message basis either.
If I could get to my webmail account (also blocked) I'd send from there.
Welcome to corporate environments...

-----Original Message-----
From: Evan Hunt [] 
Sent: 2010, September, 29 7:25 PM
To: Taylor, Gord
Subject: Re: When does BIND send queries with DO flag enabled?

> Can someone explain when BIND sets DO flag and when it won't? Most of 
> my client workstations are XPSP3, and NONE of the queries coming from 
> those clients have DO flag set.

The DO bit is part of the EDNS option record, and some servers (and more
to the point, some firewalls) are broken and don't understand EDNS.
When BIND doesn't initially get an answer to a query, it retries in
different ways, and eventually (on the third try, if I recall correctly)
it tries omitting the EDNS option.  No EDNS means no DO bit, and I'm
pretty sure that's what you're seeing on the trace.

Evan Hunt --
Internet Systems Consortium, Inc.

This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this 
e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or 
otherwise) immediately.

Ce courriel peut contenir des renseignements protégés et confidentiels.
L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements 
qu’il contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, 
par retour de courriel ou par un autre moyen.
bind-users mailing list

Reply via email to