[dns-operations] knot-dns

Mark Andrews marka at isc.org
Mon Dec 15 07:17:46 UTC 2014


In message <878ui94dju.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> The problem is that the EDNS protocol does not have a proper
> handshake.  If implementations reply differently to the same query, a
> resolver may hit one implementation, receive some sort of failure
> indication, try again without EDNS, hit the other implementation,
> receive a reply, and conclude that the IP address in question is not
> EDNS-tolerant.

Well it isn't and unless the answer you want depends on EDNS that
doesn't matter.  If the answer does depend on EDNS working you need
a feedback to force EDNS regardless of the answers you are seeing.

The biggest problem with EDNS is implementors not actually implementing
the protocol.  That makes it hard to do anything with any degree
of certaintly.

Try running a experiment EDNS(1) resolver.  Too many firewall just
drop the query despite the documented response being BADVERS.

Similarly with EDNS unknown flags and unknown EDNS options.  Both
of these should be ignored.

If you do get a response back there is a good chance that it will
be a invalid response.  EDNS compliance is sitting in the low 60's
as a percentage.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list