Description of problem: Bind 9.2.4 16.EL4 configured as caching nameserver. It sends EDNS packets to the root nameservers: most of them replies with a "format error". Trace as follows: ------------------------------------------------------------------------------------------- No. Time Delta Source Destination Protocol Info 18 0.513475 0.111514 212.77.0.2 10.41.0.64 DNS Standard query response, Format error Frame 18 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 00:0b:fc:90:ab:fc (00:0b:fc:90:ab:fc), Dst: 00:13:21:6b:ea:53 (00:13:21:6b:ea:53) Internet Protocol, Src: 212.77.0.2 (212.77.0.2), Dst: 10.41.0.64 (10.41.0.64) User Datagram Protocol, Src Port: 53 (53), Dst Port: 51959 (51959) Domain Name System (response) Transaction ID: 0xddda Flags: 0x8091 (Standard query response, Format error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 1... .... = Recursion available: Server can do recursive queries .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0001 = Reply code: Format error (1) Questions: 0 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 0000 00 13 21 6b ea 53 00 0b fc 90 ab fc 08 00 45 00 ..!k.S........E. 0010 00 28 e0 34 00 00 12 11 e9 d8 d4 4d 00 02 0a 29 .(.4.......M...) 0020 00 40 00 35 ca f7 00 14 f7 74 dd da 80 91 00 00 .@.5.....t...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 ............ ------------------------------------------------------------------------------------------- This behaviour, although not high-impact as other dns availables, creates logs entries in CheckPoint FW-1: resulting in FW-1 crash! in Bind 9 you can turn ends off for a specific server, but not globally. The suggested patch makes it available globally. http://wilmer.gaast.net/downloads/bind-9.3-edns-global.diff Pcap trace available upon request.
Created attachment 138786 [details] Patch for EDNS global option
Created attachment 138787 [details] PCAP with the problem The pcap file with the DNS edns format error
okay, thanks for the report, I'll check it.
This patch is quite clear so I don't have any objections.
Created attachment 140113 [details] proposed patch
applied in devel/FC6
Created attachment 144690 [details] proposed patch for RHEL-4 (bind-9.2.4) A backported patch for RHEL-4 package (bind-9.2.4)
This bugzilla had previously been approved for engineering consideration but Red Hat Product Management is currently reevaluating this issue for inclusion in RHEL4.6.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0743.html