[dns-operations] knot-dns

Florian Weimer fw at deneb.enyo.de
Mon Dec 15 06:44:53 UTC 2014


* David Conrad:

>> In particular, running different implementations behind a load
>> balancer on the same public IP address can break EDNS detection by
>> resolvers, and crafted queries sent to a resolver can make data
>> unavailable to that resolver (until a timeout occurs).
>
> Huh?

Yeah.

> If you're running multiple implementations behind a load balancer
> and one is not following the protocol specifications such that it
> breaks EDNS detection, the answer is to fix the broken resolver or
> run a different resolver that responds correctly, not run an
> identical code base.

The problem is that the EDNS protocol does not have a proper
handshake.  If implementations reply differently to the same query, a
resolver may hit one implementation, receive some sort of failure
indication, try again without EDNS, hit the other implementation,
receive a reply, and conclude that the IP address in question is not
EDNS-tolerant.



More information about the dns-operations mailing list