Re: DNSSEC and EDNS behavior

2011-10-20 Thread Evan Hunt 
> What are the situations (timeouts, FORMERR .. etc)  to mark the server
> as unable to speak EDNS0? (add_bad)

named tries to send a query with EDNS(0); if the query fails, it will try
again with EDNS(0) but with the packet size limited to 512 bytes; and if
that fails, it will try again without EDNS(0).  If at that point it
succeeds, then it memorizes the formula that worked: it won't try to use
EDNS(0) again with that server for the duration of the server's TTL, or
one day, whichever is shorter.

> How can be server recovered again as EDNS0 capable?
[...]
> Only recovery was to flush cache.

I don't think you need to flush the whole cache; 'rndc flushname '
will clear the entry for the affected name server, and should be
sufficient.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC and EDNS behavior

2011-10-20 Thread Taylor, Gord 
 
We had a similar issue here (although the cause was CheckPoint's
SmartDefence being turned on for a business partner, which prevented
EDNS0 packets). The behaviour is that BIND 9 will attempt EDNS0 3 times,
then fail back to EDNS disabled. It will clear any backlog of queries
FOR THAT SAME NAME, then revert back to using ENDS0.
Lather/rinse/repeat.

Gord Taylor (CISSP, GCIH, GEEK) | Senior Network Analyst, Internet
Technologies | Royal Bank of Canada 


-Original Message-
From: bind-users-bounces+gord.taylor=rbc@lists.isc.org
[mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf
Of PPA
Sent: 2011, October, 20 9:50 AM
To: bind-users@lists.isc.org
Subject: DNSSEC and EDNS behavior

Hello,

does anybody know, how BIND running as DNS caching resolver makes
decision for disabling EDNS0 OPT query sent to a certain nameserver it
is talking to?

What are the situations (timeouts, FORMERR .. etc)  to mark the server
as unable to speak EDNS0? (add_bad)

How can be server recovered again as EDNS0 capable?

We got a situation when our authoritative nameserver retuned damaged
data and BIND (BIND 9.7.3-P3 on CentOS 6 2.6.32-71.29.1.el6.i686 32bit)
evaluated it as FORMERR.

After that, it talked to our server without EDNS0 even if there was a
EDNS0 OPT included in the previous response..

Only recovery was to flush cache.


Thanks for replies

Regards
Milan Leszkow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___

This email may be privileged and/or confidential, and the
sender does not waive any related rights and obligations.
Any distribution, use or copying of this email or the
information it contains by other than an intended recipient
is unauthorized. If you received this email in error,
please advise the sender (by return email or otherwise)
immediately. You have consented to receive the attached
electronically at the above-noted email address; please retain a
copy of this confirmation for future reference.

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce
pas aux droits et obligations qui s'y rapportent. Toute diffusion,
utilisation ou copie de ce courriel ou des renseignements qu'il
contient par une personne autre que le (les) destinataire(s)
désigné(s) est interdite. Si vous recevez ce courriel par erreur,
veuillez en aviser l’expéditeur immédiatement, par retour de courriel
ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s)
ci-joint(s) par voie électronique à l’adresse courriel indiquée ci-dessus;
veuillez conserver une copie de cette confirmation pour les fins de reference 
future.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and EDNS behavior

2011-10-20 Thread PPA 
Hello,

does anybody know, how BIND running as DNS caching resolver makes
decision for disabling EDNS0 OPT query sent to a certain nameserver it
is talking to?

What are the situations (timeouts, FORMERR .. etc)  to mark the server
as unable to speak EDNS0? (add_bad)

How can be server recovered again as EDNS0 capable?

We got a situation when our authoritative nameserver retuned damaged
data and BIND (BIND 9.7.3-P3 on CentOS 6 2.6.32-71.29.1.el6.i686 32bit)
evaluated it as FORMERR.

After that, it talked to our server without EDNS0 even if there was a
EDNS0 OPT included in the previous response..

Only recovery was to flush cache.


Thanks for replies

Regards
Milan Leszkow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users