[dns-operations] knot-dns
Florian Weimer
fw at deneb.enyo.de
Mon Dec 15 06:44:53 UTC 2014
* David Conrad:
>> In particular, running different implementations behind a load
>> balancer on the same public IP address can break EDNS detection by
>> resolvers, and crafted queries sent to a resolver can make data
>> unavailable to that resolver (until a timeout occurs).
>
> Huh?
Yeah.
> If you're running multiple implementations behind a load balancer
> and one is not following the protocol specifications such that it
> breaks EDNS detection, the answer is to fix the broken resolver or
> run a different resolver that responds correctly, not run an
> identical code base.
The problem is that the EDNS protocol does not have a proper
handshake. If implementations reply differently to the same query, a
resolver may hit one implementation, receive some sort of failure
indication, try again without EDNS, hit the other implementation,
receive a reply, and conclude that the IP address in question is not
EDNS-tolerant.
More information about the dns-operations
mailing list