[Pdns-users] Erroneous NXDOMAIN from Ebay triggered by EDNS extra info
sthaug at nethelp.no
sthaug at nethelp.no
Sun Dec 29 13:08:32 UTC 2013
> > According to RFC 6975, Option code 5 of the OPT RR should be used to
> > signal DAU (DNSSEC Algorithm Understood) - however, I doubt that this
> > is really what PowerDNS recursor is trying to tell me here. It seems
> > more likely that the inclusion of these additional 8 bytes in the
> > query is a bug in PowerDNS recursor 3.5.3.
>
> Our usage of option code 5 is for the expired EDNS PING draft. We recommend running with disable-edns-ping now (because of eBay).
>
> eBay's name servers are severely broken -- various non-vanilla aspects of DNS will trigger NXDOMAINs from their name servers. This is a serious bug on their end and we have been working on getting them to fix it (without success, so far).
Thanks for the explanation! I'm now happily running PowerDNS recursor
3.5.3 with
disable-edns=no
disable-edns-ping=yes
and everything seems to be working fine, including queries to the
severely broken Ebay name servers.
Might I suggest that the default for disable-edns-ping should be yes,
since 1) The EDNS PING draft is expired, 2) Option code 5 is reused
for a different purpose according to iana.org, and 3) EDNS PING is
known to trigger problems with the Ebay name servers (even if we both
agree that it is really the fault of the Ebay name servers)?
Also, I could find anything about disable-edns / disable-edns-ping at
http://doc.powerdns.com/html/built-in-recursor.html#recursor-settings
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the Pdns-users
mailing list