This page, provides a way to test EDNS: https://www.dns-oarc.net/oarc/services/replysizetest
Bind acts this way. Makes an EDNS query of full size, if no answer, makes a DNS query and request the response to be limited to a 512bytes answer, there it usually will get an answer, that the result is too big to fit in such UDP packet therefore, bind finally makes the query over TCP and gets the result needed. With low TTL, overloaded TXT records, it is not rare that the mail server does not get the SPF record in time for a non null but significant portion of emails from a domain. UDP fragments are not a security issue, they are essential for DNS. On Thu, May 5, 2016 at 3:29 AM, Tony Finch <d...@dotat.at> wrote: > Michael Wise <michael.w...@microsoft.com> wrote: > > > > So is the FORMERR ... just the resolver noting that EDNS is not > supported? > > > > If so, I'm uncertain of the issue. > > There has been some discussion of this problem on the bind-users list, see > https://lists.isc.org/pipermail/bind-users/2016-May/thread.html > > The problems seem to be: > > (1) Very short TTL on the NS records, which means that most attempts to > resolve the names have to go through iterative name server discovery. > > (2) Only two NS records, but each server has a large number of IP > addresses, and the sets of IP addresses overlap. > > (3) Lack of EDNS support means more work has to be done by a resolver each > time the TTL expires. > > The way to fix this would be to increase the stability of the name server > records - the NS records and associated address records. Give them > decently long TTLs, have a few more NS records, with few non-overlapping > IP addresses each. > > Add support for EDNS to your server - you don't need to support any > special EDNS features (no need for large packets), just handle OPT > records, so that resolvers don't have to do error recovery. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h > punycode > Irish Sea: South 4 or 5 becoming variable 3 or 4. Slight or moderate. > Occasional drizzle, fog patches in north. Moderate or good, occasionally > very > poor in north. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
