[dns-operations] EDSN0 fallback in the era of DNSSEC
paul.hoffman at vpnc.org
Mon Apr 29 14:30:38 UTC 2013
On Apr 29, 2013, at 6:50 AM, bert hubert <bert.hubert at netherlabs.nl> wrote:
> If BIND experiences a timeout on a query for a domain, it assumes this might
> be because of EDNS0 compatibility issues, and retries without EDNS0.
> BIND does this even for domains for which it wants to do validation. Since
> it does not get RRSIGs if it does not use EDNS0, it declares all future
> answers bogus. Unbound does not do EDNS0 fallback for domains for which it
> has seen a trust anchor or DS.
Retrying queries without EDNS0 seems sensible before deployment of DNSSEC. Is that still the case now that DNSSEC is more widely deployed?
More information about the dns-operations