Turn Off edns, could we ?
Scottie Lu
Because some name servers on the internet could NOT make response for edns
queries correctly, we want to TURN OFF the packet sent from our named with
edns !!!
Could we make this from setting config file ?
or we must trace the source code of BIND and change it to do that ?
Best Regards
Scottie Lu
p...@icke-reklam.ipsec.nu
Shure you can disable this per server : see
the 'server' statement in bind-9 :
server ip_addr {
edns yes_or_no ;
};
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
Scottie Lu
That's great ! This config statement can turn off edns by per-server IP
address !
But we want to make the NAMED ALWAYS DO NOT send edns packet GLOBALLY,
that is, we want to destroy the edns capability of our named to ALL servers
on the internet.
How could we make that ? Is it possible ?
I think it is NOT a smart way to set each server on the internet in the
config statement 'edns no'.
Best Regards
Scottie Lu
----- Original Message -----
From: <p...@icke-reklam.ipsec.nu>
Newsgroups: comp.protocols.dns.bind
To: <comp-protoc...@isc.org>
Sent: Monday, March 10, 2003 3:06 PM
Subject: Re: Turn Off edns, could we ?
Scottie Lu
That's great ! This config statement can turn off edns by per-server IP
address !
But we want to make the NAMED ALWAYS DO NOT send edns packet GLOBALLY,
that is, we want to destroy the edns capability of our named to ALL servers
on the internet.
How could we make that ? Is it possible ?
I think it is NOT a smart way to set each server on the internet in the
config statement 'edns no'.
Best Regards
Scottie Lu
<p...@icke-reklam.ipsec.nu> 撰寫於郵件新聞:b4hdqq$abkf$1...@isrv4.isc.org...
> Scottie Lu <s6...@du.net.tw> wrote:
> > Hi, there
>
> > Because some name servers on the internet could NOT make response for
edns
> > queries correctly, we want to TURN OFF the packet sent from our named
with
> > edns !!!
>
> > Could we make this from setting config file ?
> > or we must trace the source code of BIND and change it to do that ?
>
> Shure you can disable this per server : see
> the 'server' statement in bind-9 :
> server ip_addr {
> edns yes_or_no ;
> };
>
>
>
>
>
>
> --
> Peter H嶡anson
Doug Barton
> But we want to make the NAMED ALWAYS DO NOT send edns packet GLOBALLY,
That's a bad idea. EDNS is the inevitable future, and getting things that
don't work with it now working is critical.
That said, our authoritative servers do thousands of queries per second
from sites all over the world, and we have very few problems related to
edns. We get complaints a couple times per month, mostly from people whose
resolvers are behind PIX firewalls.
Doug
--
If it's moving, encrypt it. If it's not moving, encrypt
it till it moves, then encrypt it some more.
Scottie Lu
That's great ! This config statement can turn off edns by per-server IP
address !
But we want to make the NAMED ALWAYS DO NOT send edns packet GLOBALLY,
that is, we want to destroy the edns capability of our named to ALL servers
on the internet.
How could we make that ? Is it possible ?
I think it is NOT a smart way to set each server on the internet in the
config statement 'edns no'.
Best Regards
Scottie Lu
<p...@icke-reklam.ipsec.nu> 撰寫於郵件新聞:b4hdqq$abkf$1...@isrv4.isc.org...
> Scottie Lu <s6...@du.net.tw> wrote:
> > Hi, there
>
> > Because some name servers on the internet could NOT make response for
edns
> > queries correctly, we want to TURN OFF the packet sent from our named
with
> > edns !!!
>
> > Could we make this from setting config file ?
> > or we must trace the source code of BIND and change it to do that ?
>
> Shure you can disable this per server : see
> the 'server' statement in bind-9 :
> server ip_addr {
> edns yes_or_no ;
> };
>
>
>
>
>
>
> --
> Peter H嶡anson
p...@icke-reklam.ipsec.nu
> Peter, Thank you very much !
> That's great ! This config statement can turn off edns by per-server IP
> address !
> But we want to make the NAMED ALWAYS DO NOT send edns packet GLOBALLY,
> that is, we want to destroy the edns capability of our named to ALL servers
> on the internet.
> How could we make that ? Is it possible ?
Sorry, cannot help you here ;
server 0.0.0.0 {
edns no;
};
won't do ( tried on 9.2.2rc1 )
> I think it is NOT a smart way to set each server on the internet in the
> config statement 'edns no'.
> Best Regards
> Scottie Lu
Why do you need to turn this off ? Are you trapped behind a brain-dead
firewall of some kind ?
Scottie Lu
> server 0.0.0.0 {
> edns no;
> };
>
> won't do ( tried on 9.2.2rc1 )
>
>
>
> > config statement 'edns no'.
>
> > Best Regards
> > Scottie Lu
>
> firewall of some kind ?
>
>
I must do this because my named will timeout without doing anything after it
sent a edns packet, while the receiver ( the others' name server ) that
could NOT make any response to edns packet is broken for edns.
The result is :
My clients were NOT able to access some specific domains delegated to those
broken name servers.
This affair often disturbed me when my BIND upgraded from 8.2.x to 8.3.4.
Scottie Lu
p...@icke-reklam.ipsec.nu
>> Sorry, cannot help you here ;
>> server 0.0.0.0 {
>> edns no;
>> };
>>
>> won't do ( tried on 9.2.2rc1 )
>>
>>
>>
>> > I think it is NOT a smart way to set each server on the internet in the
>> > config statement 'edns no'.
>>
>> > Best Regards
>> > Scottie Lu
>>
>> Why do you need to turn this off ? Are you trapped behind a brain-dead
>> firewall of some kind ?
>>
>>
> I must do this because my named will timeout without doing anything after it
> sent a edns packet, while the receiver ( the others' name server ) that
> could NOT make any response to edns packet is broken for edns.
> The result is :
> My clients were NOT able to access some specific domains delegated to those
> broken name servers.
> This affair often disturbed me when my BIND upgraded from 8.2.x to 8.3.4.
> Scottie Lu
Well, then marking those servers as "edns no;" is the way to go.
( speaking about "specific domains " )