> Hi, list, I have upgraded our dns servers to version 9.5.0 P2, we have
> a hight load, and a merged setup of authority and recursive servers, I
> know this is bad, but one can't have everything it wants, specially
> when having low resources.
> I have running in almost all the problems listed on this list since
> the upgrade for the vulnerability of kaminsky:
> Out of file descriptors, ... etc, it has been a realy hard job, we
> also have to change our firewall beacuse of the problems with udp
> packages, and until now almost everything is solved, but one thing
> that realy has me crazy.
> We are tunning in rhel 5.2, customs rpms packages of 9.5.0 P2 built
> for highs loads, we have 2000 zones, and almost 7000 recursive
> clients, I'm trying to fix the problem of:
> too many timeouts resolving ...: disabling EDNS
> a average ping from our network has this responses
> PING google.com ( 56(84) bytes of data.
> 64 bytes from jc-in-f99.google.com ( icmp_seq=1 ttl=236
> time=582 ms
> 64 bytes from jc-in-f99.google.com ( icmp_seq=2 ttl=236
> time=583 ms
> PING isc.org ( 56(84) bytes of data.
> 64 bytes from external.isc.org ( icmp_seq=1 ttl=50 time=610 m
> s
> 64 bytes from external.isc.org ( icmp_seq=2 ttl=50 time=610 m
> s
> I did all the test to confirm our firewall allow big udp packages,
> even I have used dig to query for dnssec, and it works ok, so I don't
> understand why bind timeouts the edns query, so, I'm wondering, what
> is the timeout for a edns query, could I change this value to a custom
> one, why dig can do edns queries, and why bind can't do it, and says
> timeouts and disable this, I know edns is important for the next step
> to use dnssec, but if dig can do it, why binds timeouts???
> Any ideas..
> Best regards, Aliet

"disabling EDNS" is issued when named experiences too many
timeouts to EDNS queries and named decides to give up on
EDNS and revert to plain old DNS. Now timeouts can be the
result of many things. Broken nameservers that don't respond
to EDNS queries. Firewalls that block EDNS queries.
Firewalls that block fragmented responses. Firewalls/NATs
that don't handle out of order fragments.

Timeouts can also be due to other network problems including
unreachable servers.

If you are getting lots of these then you do have network /
firewall problems. They may however *not* be caused by EDNS.

The message has the symptom "too many timeouts", what it
was trying to do "resolving 'ns.cmmail.com/AAAA' (in
'cmmail.com'?)" and what named doing "disabling EDNS" to
try to rectify the problem.

It does not say "EDNS is broken".

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org