[dns-operations] EDSN0 fallback in the era of DNSSEC
Paul Hoffman
paul.hoffman at vpnc.org
Mon Apr 29 14:30:38 UTC 2013
On Apr 29, 2013, at 6:50 AM, bert hubert <bert.hubert at netherlabs.nl> wrote:
> If BIND experiences a timeout on a query for a domain, it assumes this might
> be because of EDNS0 compatibility issues, and retries without EDNS0.
>
> BIND does this even for domains for which it wants to do validation. Since
> it does not get RRSIGs if it does not use EDNS0, it declares all future
> answers bogus. Unbound does not do EDNS0 fallback for domains for which it
> has seen a trust anchor or DS.
Retrying queries without EDNS0 seems sensible before deployment of DNSSEC. Is that still the case now that DNSSEC is more widely deployed?
--Paul Hoffman
More information about the dns-operations
mailing list