We had a similar issue here (although the cause was CheckPoint's SmartDefence being turned on for a business partner, which prevented EDNS0 packets). The behaviour is that BIND 9 will attempt EDNS0 3 times, then fail back to EDNS disabled. It will clear any backlog of queries FOR THAT SAME NAME, then revert back to using ENDS0. Lather/rinse/repeat.
Gord Taylor (CISSP, GCIH, GEEK) | Senior Network Analyst, Internet Technologies | Royal Bank of Canada -----Original Message----- From: bind-users-bounces+gord.taylor=rbc....@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc....@lists.isc.org] On Behalf Of PPA Sent: 2011, October, 20 9:50 AM To: bind-users@lists.isc.org Subject: DNSSEC and EDNS behavior Hello, does anybody know, how BIND running as DNS caching resolver makes decision for disabling EDNS0 OPT query sent to a certain nameserver it is talking to? What are the situations (timeouts, FORMERR .. etc) to mark the server as unable to speak EDNS0? (add_bad) How can be server recovered again as EDNS0 capable? We got a situation when our authoritative nameserver retuned damaged data and BIND (BIND 9.7.3-P3 on CentOS 6 2.6.32-71.29.1.el6.i686 32bit) evaluated it as FORMERR. After that, it talked to our server without EDNS0 even if there was a EDNS0 OPT included in the previous response.. Only recovery was to flush cache. Thanks for replies Regards Milan Leszkow _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________________________________ This email may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this email or the information it contains by other than an intended recipient is unauthorized. If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courriel par erreur, veuillez en aviser lexpéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à ladresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
