In message <df501874-ddc1-a864-77b8-1f3646c10...@switch.ch>, Daniel Stirnimann
writes:
Hello all,
Our resolver failed to contact an upstream name server as a result of
network connectivity issues. named retries eventually worked but as it
reverted back to not using EDNS and the answer should have been signed,
the query response failed to validate. Subsequent queries towards this
upstream name server were not utilizing EDNS as well because named
remembers a name servers capabilities for some time (See also
https://deepthought.isc.org/article/AA-00510/0)
My question is, can I enforce EDNS usage for a name server? I was
thinking of the 'edns' clause in the server settings [1]. However, this
is already enabled by default and only applies to an "attempt".
On 07.02.17 11:59, Mark Andrews wrote:
I've also been thinking about no longer falling back to plain DNS
on no answer. False positives on not supporting EDNS impact on
DNSSEC resolution. Most firewalls now pass EDNS and most of the
old Microsoft servers that don't answer a second EDNS request are
gone. Any remaining servers would then need to be handled via
server ... { edns no; };
Unfortunately we then need to decide what to do with servers that
don't answer EDNS + DNS COOKIE queries. Currently we fall back to
plain DNS which works except when there is a signed zone involved
and the server is validating.
fall back for how long? maybe for the same random time as RTT measurements
are done - remember for a while, but retry with edns on after.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
