Bug 275091
| Summary: | Too many timeouts resolving $DOMAIN (in $DOMAIN?): disabling EDNS | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> | ||||||||
| Component: | bind | Assignee: | Adam Tkac <atkac> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 9 | CC: | aliahsan81, davej, jan.kratochvil, mcepl, ndbecker2, ovasik | ||||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | All | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2008-11-11 15:04:14 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Robert Scheck
2007-09-03 11:58:52 UTC
EDNS is NOT pseudo-feature (yes, only BIND implement it but it's good idea :) ). And about patch - we have our modification (please see bind-9.3.3-edns.patch) which adds enable-edns option. So specify enable-edns yes_or_no in your options statement or view statement. Adam Adam, I can't agree with you. There seems to be no option in your patch, which
allows to disable edns completely. Putting "enable-edns no;" into "options {};"
doesn't turn it of at all which would expected behaviour, thus re-opening.
Hm, if this really doesn't work I'm wonder if Wilmer's patch will work. Could you please test it and report me if works as expected? (I will build binaries for you if you want). Thanks I'll build binaries myself, as this isn't hard for me. If it works, you can maybe merge these patches somehow and get it upstream as feature. I'll let you know whether Wilmer's patch is working for me better in the next days. Adam, here's my status: Wilmers patch doesn't solve the problem for me, too. It is currently not possible to disable EDNS completely. My syslog contains further on many many timeout error messages from BIND. Could you test 9.5.0-12.1.a6 (from http://people.redhat.com/atkac/test_srpms/ ), please? You should be able to specify "edns no;" in options/view statement. Adam Created attachment 198401 [details]
My local /etc/named.conf
Running on:
bind-9.5.0-12.1.a6.fc8.x86_64
bind-chroot-9.5.0-12.1.a6.fc8.x86_64
bind-libs-9.5.0-12.1.a6.fc8.x86_64
bind-utils-9.5.0-12.1.a6.fc8.x86_64
using the attached `/etc/named.conf'
and still get zillions of:
Sep 18 16:08:16 host0 named[20017]: too many timeouts resolving
'12.83.144.176.combined-HIB.dnsiplists.completewhois.com/A' (in
'dnsiplists.completewhois.com'?): disabling EDNS
Sep 18 16:08:16 host0 named[20017]: too many timeouts resolving
'12.247.13.87.combined-HIB.dnsiplists.completewhois.com/A' (in
'dnsiplists.completewhois.com'?): disabling EDNS
while having
options {
edns no;
};
Thanks for report. Could you please package with more improvements? http://kojiweb.fedoraproject.org/koji/taskinfo?taskID=166219 Yes, it looks fine now:
default .conf - Messages still produced
options { edns no; }; - Messages suppressed
bind-9.5.0-12.2.a6.fc8.x86_64
bind-chroot-9.5.0-12.2.a6.fc8.x86_64
bind-libs-9.5.0-12.2.a6.fc8.x86_64
bind-utils-9.5.0-12.2.a6.fc8.x86_64
Still I would rather like to turn off only the warnings as I expect the EDNS
feature would be still used for the servers supporting it. Something similiar
to the following useful setting but targeted at EDNS:
logging {
category lame-servers { null; };
};
I assume both types of the warnings should be turned on by default.
(Still I do not understand it much, just giving the possibly missing feature hint.)
There already is option which should disable those messages. Put "category
edns-disabled { null; };" to your logging statement. Also let me discuss
proposed edns global option in upstream
I'm using bind-9.5.0-12.2.a6 since yesterday evening and nothing edns specific in logs until now. But the last time, the messages came up after a day. After discussion in upstream I'm going to completely throw away global edns option (http://marc.info/?t=119027612100006&r=1&w=2). There will be three broken things whose break EDNS (with solutions): - bad remote server - use server's statement edns option - big packet loss - simple disable EDNS related logging (comment #10) - bad firewall/router (most cases) - report bug to your router vendor Adam (In reply to comment #12) > - bad firewall/router (most cases) - report bug to your router vendor - also set EDNS packet size should help (edns-udp-size, max-udp-size options) Adam, I can't agree with you. I can't add thousands of bad remote servers to my configuration. And there are cases where I can't fix the firewall/router and the stuff *has* to work. So there *has* to be a workaround for such IMHO pseudo features. Please keep this patch at downstream, because not every upstream decision is clever and upstream doesn't want to see the reality in this case. (In reply to comment #14) > Adam, I can't agree with you. I can't add thousands of bad remote servers to my > configuration. And there are cases where I can't fix the firewall/router and > the stuff *has* to work. So there *has* to be a workaround for such IMHO pseudo > features. Please keep this patch at downstream, because not every upstream > decision is clever and upstream doesn't want to see the reality in this case. Yes, upstream will be stupid sometimes but not in this case. if you have one or more forwarders I don't believe that many doesn't support EDNS. If yes it means that you are using old software with security bugs etc. And set server statement for one of them isn't so annoying. And I also believe that all (or near all) root servers and frontline servers support EDNS. if you have bad firewall options edns-udp-size 512; (for outgoing queries) and max-udp-size 512; (from incomming queries) should help you. if you have bad network simply disable edns logging It's really no argument why add global edns option, is it? My forwarders support EDNS. But many authoritative DNS servers in eastern Europe, Asia and when wandering more through the Pacifc room don't. Most of this timeouts are from eastern EMEA and I don't want to configure eastern EMEA's authoritative DNS servers as exceptions in my BIND configuration. So there has to be a *real* solution for this. Just disabling logging doesn't solve the problem, that DNS is very slow for these servers. IMHO you never used EDNS in a huge environment where countless DNS queries are done. And there *must* be a good reason, that vendors like HP are introducing similar patches for BIND regarding this "feature". When having HP-UX, I'm able to disable the stuff completely, because HP recognized, there *are* cases like I described above, where EDNS slows up heavily. You'll have to change this for RHEL6 anyway, so why is the problem to add this patch to Fedora 8, too? And please don't tell me, you won't add a patch to BIND for RHEL6. There will be many customers killing you for this feature as I'm currently doing. Do you really want to make me switching to HP-UX? ;-) In the end I've added that patch to f8 build... *** Bug 387191 has been marked as a duplicate of this bug. *** After big discussion on bind-workers (http://marc.info/?t=119566296700004&r=1&w=2) this option is going to be removed in F9. I'm not going to rebel against all bind developers despite I think this is good option. Please use server ::/0 { edns no; }; server 0.0.0.0/0 { edns no; }; instead edns no; As I wrote above real problem is often in bad router. Please report it to router vendor. Accepted as far as your suggestion works the same way. And just once more: How to report to the router vendor such problems when many companies of DNS servers in Asia Pacific (sorry, but the problems are always coming up when walking more and more east) are just too dumb to configure their routers either correctly or not buying working routers? :) (In reply to comment #21) > Accepted as far as your suggestion works the same way. > > And just once more: How to report to the router vendor such problems when > many companies of DNS servers in Asia Pacific (sorry, but the problems are > always coming up when walking more and more east) are just too dumb to > configure their routers either correctly or not buying working routers? :) Yes, it is problem. You could only tell them that they doesn't honour eight year old standard. Best will be send that people to jail and let them go after they promise that they will never viloate ENDS again :) Adam, "server ::/0 { edns no; }; server 0.0.0.0/0 { edns no; };" does NOT work
for me. It causes the same error messages as it wouldn't be there. Reopening.
Hm, what you mean with "doesn't work"? There are messages in system log? "server ::/0 { edns no; }; server 0.0.0.0/0 { edns no; };" causes the same "Too
many timeouts resolving $DOMAIN (in $DOMAIN): disabling EDNS" messages for me
and DNS gets ugly slow (even my forwarders support EDNS), but some DNS servers
in foreign don't. I know, that I can hide the log stuff, but that doesn't speed
up DNS/resolving for me. Anyway, shouldn't disabling "edns no" as above really
disable EDNS in BIND?
OUCH! Is the segfault somehow related to the EDNS thing? Apr 15 02:27:54 tux named[5132]: too many timeouts resolving 'roberthansen.com/MX' (in 'roberthansen.com'?): disabling EDNS Apr 15 02:27:59 tux named[5132]: too many timeouts resolving 'roberthansen.com/MX' (in 'roberthansen.com'?): disabling EDNS Apr 15 02:34:59 tux kernel: named[5134]: segfault at 00000000 eip 0016079f esp b74feec0 error 4 *** Bug 445080 has been marked as a duplicate of this bug. *** After investigation server 0.0.0.0 { edns no; }; statement doesn't work now. I'm
going to release update with some additional patches right after F9 release
Created attachment 304558 [details]
simple patch
32:9.5.0-31.b3 doesn't seem to contain the patch, yet. (In reply to comment #30) > 32:9.5.0-31.b3 doesn't seem to contain the patch, yet. You are right. After more investigation this patch isn't sufficient. Final patch is going to be different and waiting for review in upstream. Note that if you specify "server 0.0.0.0/0 { edns no; };" (and also for ::/0, make sure you included "/0") EDNS is really disabled globally (you can check it with tcpdump or dnscap), only log message leaks when query timeouts (not due EDNS but when server is really unreachable) Btw could you please check if your problem is really in EDNS, please? What says "dig @<your_forwarder_IP> <some_name> +edns=0" ? And if it fails can add +bufsize=512 parameter, please? From comment #26 it looks that you have big UDP packet loss than your forwarder doesn't support EDNS. Thanks I'm using /0 of course. My forwarders are both working fine, interestingly the following causes a timeout and thus a log message as in summary: tux:~ # dig @127.0.0.1 redrumterriers.com +edns=0 ; <<>> DiG 9.5.0b3 <<>> @127.0.0.1 redrumterriers.com +edns=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached tux:~ # AFAIK I've got no special configuration of bind on my server (just caching DNS which provides the same forwarders as in /etc/resolv.conf). Created attachment 305175 [details] Output from dig Look on this dig output - from comment #26 it might look that roberthansen.com. server doesn't support EDNS but it supports it. Log messages were due query timeouts (packet loss, server was down etc) so no problem related to EDNS. I recommend do not disable EDNS but first check if servers really doesn't support it. And if they don't then proper administrator should be informed that he doesn't conform nine year old standard and he should fix his server. tux:~ # grep -c "too many timeouts resolving" /var/log/messages* /var/log/messages:619 /var/log/messages-20080420:2146 /var/log/messages-20080427:2782 /var/log/messages-20080504:2942 /var/log/messages-20080511:4064 tux:~ # You or me writing these e-mails? ;-) bind-9.5.0-31.b3.fc9 has been submitted as an update for Fedora 9 Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping bind-9.5.0-31.b3.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update bind'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-3861 bind-9.5.0-32.rc1.fc9 has been submitted as an update for Fedora 9 bind-9.5.0-32.rc1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. (In reply to comment #33) > I recommend do not disable EDNS but first check if servers really doesn't > support it. And if they don't then proper administrator should be informed that > he doesn't conform nine year old standard and he should fix his server. Sorry but I am not going to contact admins of about 3000 servers per day, this log is for the last two days on my workstation: http://www.jankratochvil.net/priv/disabling-edns named[24415]: too many timeouts resolving 'LINE-CONTENT/xxx' (in 'yyy'?): disabling EDNS Connectivity is over ADSL on public static IP (through openvpn), 30ms RTT. this problem is addressed in upcomming 9.5.1 release. Currently we have 9.5.1b2 in rawhide so if anyone is using F10 tree he could test bind-9.5.1-0.7.b2.fc10 and check if situation is better. bind-9.5.1-0.7.b2.fc10.x86_64 Still a flood of them but they are of two kinds now: Oct 4 20:12:54 host0 named[17739]: too many timeouts resolving 'homebanc.com/TXT' (in 'homebanc.COM'?): reducing the advertised EDNS UDP packet size to 512 octets Oct 4 20:13:06 host0 named[17739]: too many timeouts resolving 'scissorlok.com/A' (in 'scissorlok.COM'?): disabling EDNS Oct 4 20:15:21 host0 named[17739]: too many timeouts resolving 'valent.com/TXT' (in 'valent.COM'?): reducing the advertised EDNS UDP packet size to 512 octets Oct 4 20:15:29 host0 named[17739]: too many timeouts resolving 'imaginemedia.co.uk.fulldom.rfc-ignorant.org/A' (in 'fulldom.rfc-ignorant.org'?): reducing the advertised EDNS UDP packet size to 512 octets (full MTU/MRU 1500 - openvpn) After many discussions about EDNS0 there is no way how better solve this problem. named works as RFC 2671 says and that messages are usually helpful so they are logged by default. If you want suppress that messages use "category edns-disabled { null; };" in your logging statement in named.conf. Closing
*** Bug 494948 has been marked as a duplicate of this bug. *** |