In message <1322573807.4832.44.ca...@mje99.posix.co.za>, Mark Elkins writes: > I'm Running Bind 9.7.3-P3 (Gentoo build)... > > When does 'EDNS' get brought into the picture? > A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) - > but a dig without '+dnssec' and actually asking for the 'dnskey' records > for a domain - which is over 512 bytes - does a "Truncated, retrying in > TCP Mode" on me - even when asking "localhost". > > I though that EDNS0 was negotiated or pretty much the default and didn't > have to be kicked into action???? Is this some sort of safety default > feature I need to de-activate via named.conf (which has no mention of > EDNS anything) > > I'd honestly never noticed this before... > --=20 > . . ___. .__ Posix Systems - (South) Africa > /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE > / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
Modern nameservers use EDNS by default. They also deal with stupid firewalls that drop EDNS or DO-1 requests or block the larger replies and retry on FORMERR/SERVFAIL etc. using plain DNS when talking to non-EDNS aware nameservers. Stub resolvers generally do not unless it has been requested or is required for other functionality like getting DNSSEC records in responses. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
