Mark Andrews via RT wrote: > I don't think there is anything for us to do here. I can see a couple of changes that would help. I think it would make sense to use different EDNS logic when resolving a signed zone. In this situation named should never send a query without EDNS DO. If an auth server sends a non-EDNS response to a query for a signed zone, named should treat it as a broken server not as a pre-EDNS server. This should cause named to try the other servers for the zone, which might work better. At the moment named can fall back to non-EDNS, get an unsigned reply, try to validate it, and give up, rather than trying to get a properly signed response from another server. The other improvement would be to start with a less pessimistic EDNS buffer size. Plausible choices would be the Ethernet MTU minus a bit of slop for VLAN tags and tunnels, or the IPv6 minimum MTU. I haven't looked at the new EDNS logic in detail yet; I used to have a patch which added a third intermediate fallback level, though I never properly investigated whether it improved things. Its downside was that it increased latency for non-EDNS servers. If you start at an intermediate buffer size, then if it workd you can try big buffers to see if fragmented packets work, and if not you can fall back to small buffers and/or no EDNS; this should be a good mix of the new and old behaviours. Regarding the two specific examples in this bug report, the Rage4 people have fixed their custom build of PowerDNS, which is nice. I have not heard back from CommunityDNS. This is a bit more worrying since they provide authoritative service for A LOT of really important zones, including TLDs and dotat.at... ; <<>> DiG 9.11.0pre-alpha <<>> +dnssec +ignore +multiline +norec +bufsize=512 +qr dotat.at @ns3.gratisdns.dk ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22659 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dotat.at. IN A ;; QUERY SIZE: 37 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22659 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dotat.at. IN A ;; ANSWER SECTION: dotat.at. 3600 IN A 212.13.197.229 dotat.at. 3600 IN RRSIG A 5 2 3600 ( 20140628093111 20140618091908 56700 dotat.at. OqSbw9PGyPaq35tjm/UxEglUataufjWvKpkb8A5mT4CW FKxQNTfwPwq1aXnSfpzL+5oorIf5pqdDd0le8WCKtcUv rlPh6RsAea08WfsQc226cM0bHVJuU13PVVYBP+Y9PFQ8 aXBP2APJOFWpRpbhu72irU66UpIcdEwnGDV4Weo= ) ;; Query time: 23 msec ;; SERVER: 2001:678:5::6#53(2001:678:5::6) ;; WHEN: Thu Jun 19 11:21:03 BST 2014 ;; MSG SIZE rcvd: 210 Tony. -- f.anthony.n.finch http://dotat.at/ Humber, Thames: North or northwest 3 or 4 increasing 5 or 6, but 4 at times later. Slight or moderate. Showers. Moderate or good, occasionally poor at first.