Re: disableing EDNS messages bind-9.5.0
Dean Clapper wrote: I'm trying to troubleshoot why we are getting a lot of disabling EDNS messages in /var/log/messages. We are running bind-9.5.0.P2 on a linux box. [...] Jan 27 11:43:39 ns0 named[27764]: too many timeouts resolving '196.198.117.216.zen.spamhaus.org/A' (in 'zen.spamhaus.org'?): disabling EDNS I started receiving these messages after updating from 9.4 - 9.5. I've found a couple places to test packet sizes, but have not had any problem. The messages about zen.spamhaus.org leads me to possibly email related issues. On 28.01.09 08:04, Danny Thomas wrote: add category edns-disabled { null; }; after verifying your nameserver(s) have an EDNS0 clear path by trying the 2 tests mentioned below by Mark Andrews. I strongly recommend you upgrading the BIND first. Later versions issue that message much less often. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
I'm trying to troubleshoot why we are getting a lot of disabling EDNS messages in /var/log/messages. We are running bind-9.5.0.P2 on a linux box. Jan 27 11:42:23 ns0 named[27764]: too many timeouts resolving 'host2.centmine.com/' (in 'centmine.com'?): disabling EDNS Please consider using 9.5.1-P1 or 9.6.0-P1. They include EDNS improvements related to logging. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
Dean Clapper wrote: I'm trying to troubleshoot why we are getting a lot of disabling EDNS messages in /var/log/messages. We are running bind-9.5.0.P2 on a linux box. Jan 27 11:42:23 ns0 named[27764]: too many timeouts resolving 'host2.centmine.com/' (in 'centmine.com'?): disabling EDNS Jan 27 11:42:24 ns0 named[27764]: too many timeouts resolving 'host1.centmine.com/' (in 'centmine.com'?): disabling EDNS Jan 27 11:42:38 ns0 named[27764]: too many timeouts resolving 'pts1.abovecow.com/' (in 'abovecow.com'?): disabling EDNS Jan 27 11:42:38 ns0 named[27764]: too many timeouts resolving 'pts2.abovecow.com/' (in 'abovecow.com'?): disabling EDNS ... Jan 27 11:43:39 ns0 named[27764]: too many timeouts resolving '196.198.117.216.zen.spamhaus.org/A' (in 'zen.spamhaus.org'?): disabling EDNS I started receiving these messages after updating from 9.4 - 9.5. I've found a couple places to test packet sizes, but have not had any problem. The messages about zen.spamhaus.org leads me to possibly email related issues. googling disabling EDNS would have been a start anyway add category edns-disabled { null; }; after verifying your nameserver(s) have an EDNS0 clear path by trying the 2 tests mentioned below by Mark Andrews. here's the comment from our named.conf template We were somewhat concerned when seeing lots of these messages with 9.5: edns-disabled: info: too many timeouts resolving 'query' The description in ARM: This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don’t understand. Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports. Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned. The following link http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/cfa8c63ec6bd08d6 describes cases when EDNS is being blocked * A Firewall that doesn't allow through DNS packets 512 bytes. * A Firewall/NAT that doesn't allow IP fragments through. dig +norec +dnssec example.com @a.root-servers.net Can be used to test if you firewall supports packets 512. dig +dnssec +norec +ignore dnskey se @A.NS.se Can be used to test if IP fragments can get though at all. The last sentence in Mark's message doesn't correspond to my experience: These messages are rare events with a EDNS clear path as I manually checked around 20 of these logged queries and found that nearly all resulted in dig reporting no servers could be reached. The messages appeared in 9.5 because it always tries EDNS but I think they mostly come from lame delegations (those 2 EDNS0 tests went OK). Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
In message pine.neb.4.64.0901271203100.26...@tx.reedmedia.net, Jeremy C. Ree d writes: I'm trying to troubleshoot why we are getting a lot of disabling EDNS messages in /var/log/messages. We are running bind-9.5.0.P2 on a linux box. Jan 27 11:42:23 ns0 named[27764]: too many timeouts resolving 'host2.centmine.com/' (in 'centmine.com'?): disabling EDNS Please consider using 9.5.1-P1 or 9.6.0-P1. They include EDNS improvements related to logging. They also have this fix which can result in packets appearing to get lost. Mark 2504. [bug] Address race condition in the socket code. [RT #18899] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users