Hi list,

I have some servers with bind 9.5.0.P2 and one with bind 9.6.1.
And the servers logs have a lot of messages with "after disabling EDNS" as seen above:

[...]
Jul 20 15:31:34 server named[6909]: edns-disabled: info: success resolving 'www.click21.com.br/A' (in 'www.click21.com.br'?) after disabling EDNS Jul 20 15:31:39 server named[6909]: edns-disabled: info: success resolving 'smtpgw1.gov.on.ca/A' (in 'smtpgw1.gov.on.ca'?) after disabling EDNS Jul 20 15:31:39 server named[6909]: edns-disabled: info: success resolving 'uk-lon-mail2.ipass.com/A' (in 'ipass.COM'?) after reducing the advertised EDNS UDP packet size to 512 octets Jul 20 15:31:40 server named[6909]: edns-disabled: info: success resolving 'bic.pt/MX' (in 'bic.pt'?) after disabling EDNS Jul 20 15:31:42 server named[6909]: edns-disabled: info: success resolving 'ns1.bic.pt/AAAA' (in 'bic.pt'?) after disabling EDNS Jul 20 15:31:42 server named[6909]: edns-disabled: info: success resolving 'ns2.bic.pt/AAAA' (in 'bic.pt'?) after disabling EDNS Jul 20 15:31:45 server named[6909]: edns-disabled: info: success resolving 'mail.skystyle.de/A' (in 'skystyle.DE'?) after disabling EDNS Jul 20 15:31:45 server named[6909]: edns-disabled: info: success resolving 'skystyle.de/MX' (in 'skystyle.DE'?) after disabling EDNS Jul 20 15:31:46 server named[6909]: edns-disabled: info: success resolving 'goodgame.se/MX' (in 'goodgame.SE'?) after disabling EDNS Jul 20 15:31:47 server named[6909]: edns-disabled: info: success resolving 'regions.com/MX' (in 'regions.COM'?) after disabling EDNS Jul 20 15:31:52 server named[6909]: edns-disabled: info: success resolving 'ns2.regions.com/AAAA' (in 'regions.COM'?) after disabling EDNS Jul 20 15:31:53 server named[6909]: edns-disabled: info: success resolving 'ns1.regions.com/AAAA' (in 'regions.COM'?) after disabling EDNS Jul 20 15:31:53 server named[6909]: edns-disabled: info: success resolving 'markets.nytimes.wallst.com/A' (in 'markets.nytimes.wallst.COM'?) after disabling EDNS Jul 20 15:31:53 server named[6909]: edns-disabled: info: success resolving 'backupmx.nextweb.net/A' (in 'nextweb.net'?) after disabling EDNS Jul 20 15:31:54 server named[6909]: edns-disabled: info: success resolving 'delphiproductions.com/MX' (in 'delphiproductions.COM'?) after disabling EDNS Jul 20 15:32:04 server named[6909]: edns-disabled: info: success resolving 'portaldosgames.click21.com.br/A' (in 'portaldosgames.click21.com.br'?) after disabling EDNS Jul 20 15:32:04 server named[6909]: edns-disabled: info: success resolving 'obaoba.click21.com.br/A' (in 'obaoba.click21.com.br'?) after disabling EDNS Jul 20 15:32:04 server named[6909]: edns-disabled: info: success resolving 'bemleve.click21.com.br/A' (in 'bemleve.click21.com.br'?) after disabling EDNS Jul 20 15:32:17 server named[6909]: edns-disabled: info: success resolving 'fineprintech.com/MX' (in 'fineprintech.COM'?) after disabling EDNS Jul 20 15:32:20 server named[6909]: edns-disabled: info: success resolving 'fotos.click21.com.br/A' (in 'fotos.click21.com.br'?) after disabling EDNS Jul 20 15:32:20 server named[6909]: edns-disabled: info: success resolving 'giulianaflores.click21.com.br/A' (in 'giulianaflores.click21.com.br'?) after disabling EDNS Jul 20 15:32:27 server named[6909]: edns-disabled: info: success resolving 'mailwebslice.cloudapp.net/A' (in 'cloudapp.net'?) after disabling EDNS
[...]

The queries to remote servers that doesn't support EDNS, the time to resolve after disabling ENDS, generally, is over timeout (5 seconds) of clients (resolvers), and the query fail. In my infrastructure doesn't have firewall between DNS server and Internet link, so it's support UDP packets > 512 bytes. Queries to Akamai servers doesn't work with EDNS. To resolve this problem I configure bind with directive "server <IP> { edns no; };", but isn't a good solution.
From my server, some queries with EDNS works and some doesn't.

Anyone has this problem? Look at the tests above:

-------------------------------------------------------------------------------------------------------------------------------
*Akamai plain DNS - OK*

# dig @n0g.akamai.net a961.g.akamai.net

; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63022
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;a961.g.akamai.net.             IN      A

;; ANSWER SECTION:
a961.g.akamai.net.      20      IN      A       200.157.208.241
a961.g.akamai.net.      20      IN      A       200.157.208.240

;; Query time: 22 msec
;; SERVER: 200.216.69.243#53(200.216.69.243)
;; WHEN: Mon Jul 20 15:48:00 2009
;; MSG SIZE  rcvd: 67

-------------------------------------------------------------------------------------------------------------------------------
*Akamai with EDNS - FAIL

*# dig @n0g.akamai.net a961.g.akamai.net +bufsize=500

; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net +bufsize=500
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
*
*-------------------------------------------------------------------------------------------------------------------------------
*.BR plain DNS  - OK*

# dig @a.dns.br br ns +noadditional

; <<>> DiG 9.6.1 <<>> @a.dns.br br ns +noadditional
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19236
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 8
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;br.                            IN      NS

;; ANSWER SECTION:
br.                     172800  IN      NS      a.dns.br.
br.                     172800  IN      NS      b.dns.br.
br.                     172800  IN      NS      c.dns.br.
br.                     172800  IN      NS      d.dns.br.
br.                     172800  IN      NS      e.dns.br.
br.                     172800  IN      NS      f.dns.br.

;; Query time: 28 msec
;; SERVER: 200.160.0.10#53(200.160.0.10)
;; WHEN: Mon Jul 20 15:55:24 2009
;; MSG SIZE  rcvd: 274
-------------------------------------------------------------------------------------------------------------------------------
*.BR with EDNS  - OK

*dig @a.dns.br br ns +noadditional +bufsize=500

; <<>> DiG 9.6.1 <<>> @a.dns.br br ns +noadditional +bufsize=500
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59275
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;br.                            IN      NS

;; ANSWER SECTION:
br.                     172800  IN      NS      a.dns.br.
br.                     172800  IN      NS      b.dns.br.
br.                     172800  IN      NS      c.dns.br.
br.                     172800  IN      NS      d.dns.br.
br.                     172800  IN      NS      e.dns.br.
br.                     172800  IN      NS      f.dns.br.

;; Query time: 29 msec
;; SERVER: 200.160.0.10#53(200.160.0.10)
;; WHEN: Mon Jul 20 16:00:57 2009
;; MSG SIZE  rcvd: 285
-------------------------------------------------------------------------------------------------------------------------------

Thanks in advance,

--
Ats,
Breno S. Soares
Analista de Redes
SERPRO/SUPRE/REBHE
Tel: (31) 3311-6825



"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa 
pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a 
seu destinatário e pode conter informações confidenciais, protegidas por sigilo 
profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. 
Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, 
esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a 
government company established under Brazilian law (5.615/70) -- is directed exclusively 
to its addressee and may contain confidential data, protected under professional secrecy 
rules. Its unauthorized use is illegal and may subject the transgressor to the law's 
penalties. If you're not the addressee, please send it back, elucidating the 
failure."
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to