As long as all 4 DNS servers are running the same version, my first suggestion would be to check firewalls for dropped packets.
Some FW/IPS drop packets with edns versions other 0 because they see it as an attack. On Fri, Jan 18, 2019, 12:02 PM N. Max Pierson <nmaxpier...@gmail.com wrote: > Hi List, > > I am trying to ensure our Bind servers comply with EDNS for the upcoming > Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but > from what I have read, the information is somewhat conflicting as some > documentation states EDNS is not a record that you configure in your zone > file then other sites refer to some sort of OPT record you can configure. > So my first question is which of the documentation is correct from what I > have read? Is it DNS server functionality that supports EDNS or do you also > have to configure something in the zone files? > > Also, I have 4 (well 5 counting the master that isn't queryable) > nameservers with multiple domains served on them. When I run one of my > primary domains through the ISC EDNS tool, it comes back as 2 out of the 4 > are failing EDNS queries.They are all on the same version of Bind > (9.8.2rc1) and they are all slaves of the master so they should all have > the same records. Can anyone please explain what I need to do to resolve > the timeouts listed on the ISC testing tool? > > Here is what the tool says ... > > > venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok *edns1=timeout* > edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok > edns512tcp=ok *optlist=timeout* > > venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok > ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok > optlist=ok > venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok > edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=ok > > venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok > ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok > optlist=ok > venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok > edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=ok > > venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok *edns1=timeout* > edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok > edns512tcp=ok *optlist=timeout* > > > TIA!! > > Regards, > > Max > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users