[dns-operations] EDSN0 fallback in the era of DNSSEC

Paul Hoffman paul.hoffman at vpnc.org
Mon Apr 29 14:30:38 UTC 2013

On Apr 29, 2013, at 6:50 AM, bert hubert <bert.hubert at netherlabs.nl> wrote:

> If BIND experiences a timeout on a query for a domain, it assumes this might
> be because of EDNS0 compatibility issues, and retries without EDNS0.
> BIND does this even for domains for which it wants to do validation.  Since
> it does not get RRSIGs if it does not use EDNS0, it declares all future
> answers bogus.  Unbound does not do EDNS0 fallback for domains for which it
> has seen a trust anchor or DS.

Retrying queries without EDNS0 seems sensible before deployment of DNSSEC. Is that still the case now that DNSSEC is more widely deployed? 

--Paul Hoffman

More information about the dns-operations mailing list