Maintained by: NLnet Labs

[Unbound-users] Disabling EDNS0?

Michael Tokarev
Wed Oct 15 11:36:58 CEST 2014

On 15.10.2014 10:48, Jelte Jansen wrote:
> On 10/14/2014 09:13 PM, Michael Tokarev wrote:
>> Hello.
>> It looks like a there's a common problem in various networks, -- some
>> resolvers does not understand EDNS0 OPT record at the end of the DNS
>> query packet and returns either NXDOMAIN or NODATA response to *any*
>> such query, no matter if the domain in question exists or not.
> I guess you mean authoritative servers, not resolvers?

No, I mean resolvers.  The 'dns server' setting which is being sent over
dhcp, -- some distributions use this information and make it available
to unbound as `unbound-control forward <>'.

At least one network I come across here redirects outgoing port 53 to
the local resolver, so it isn't really possible to get it to work
even after disabling explicit forwarding.

So the talk is about broken recursive resolvers (mostly in various
SOHO routers), not about certain domains.

(The talk is about Dusseldorf, DE -- I'm at linuxcon right now, and
the wifi network in the DCC is of this kind, with broken DNS resolver.
I found many other wifi networks around the city share the same
brokeness -- so it looks like some local telecom issue.)

> But I'd rather see we try to get those broken domains fixed. Note that
> they do not need to support EDNS0, they just need to follow the RFCs
> instead of giving false answers.

As a user I just had to disable unbound (which I used for local dns
caching), because I really needed the thing to work, I don't have
any time to fight with this prob at the conference.

> Note that any reasonably modern resolver would be adding EDNS0 by
> default, so if they are responding badly to it they should have a lot
> more problems.

Apparently, with so many people arond me, I was the only one in here
who had this prob ;)


> Jelte