*** Global EDNS flag patch for BIND 9.3.1 With this patch, you can also specify "edns no" in the main options sections of named.conf, so BIND will never do EDNS requests. Normally you can only disable EDNS for specific servers. Most people won't have a use for this patch, but I had to make it when working on a school project behind a crappy (commercial) firewall that does some exaggerated traffic filtering. It filtered all DNS requests that had an EDNS part, so BIND timed out on every DNS request. Some research showed that more people had this problem, and didn't find a solution (except HP, they have some patched version of BIND 9.2.0 with this global flag added too, but they didn't publish any source). I hope the next person to look for this will find this patch useful... Since I don't expect the BIND people to be happy about the way I implemented this, I'll just put the patch on-line. Good luck! And don't forget to put "edns no" in your named.conf after installing your patched BIND. :-) Wilmer van der Gaast. diff -uNr bind9-9.3.1/bin/named/config.c bind9-edns/bin/named/config.c --- bind9-9.3.1/bin/named/config.c 2004-10-05 04:52:26.000000000 +0200 +++ bind9-edns/bin/named/config.c 2005-10-04 18:42:33.000000000 +0200 @@ -54,6 +54,7 @@ " deallocate-on-exit true;\n\ # directory \n\ dump-file \"named_dump.db\";\n\ + edns yes;\n\ fake-iquery no;\n\ has-old-clients false;\n\ heartbeat-interval 60;\n\ diff -uNr bind9-9.3.1/bin/named/server.c bind9-edns/bin/named/server.c --- bind9-9.3.1/bin/named/server.c 2004-11-10 23:13:56.000000000 +0100 +++ bind9-edns/bin/named/server.c 2005-10-04 18:43:47.000000000 +0200 @@ -2670,6 +2670,11 @@ "strdup"); obj = NULL; + result = ns_config_get(maps, "edns", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_peer_setsupportedns(NULL, cfg_obj_asboolean(obj)); + + obj = NULL; result = ns_config_get(maps, "recursing-file", &obj); INSIST(result == ISC_R_SUCCESS); CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)), diff -uNr bind9-9.3.1/lib/dns/peer.c bind9-edns/lib/dns/peer.c --- bind9-9.3.1/lib/dns/peer.c 2004-03-06 09:13:41.000000000 +0100 +++ bind9-edns/lib/dns/peer.c 2005-10-04 18:42:33.000000000 +0200 @@ -348,10 +348,17 @@ return (ISC_R_NOTFOUND); } +static isc_boolean_t global_edns_status = ISC_TRUE; + isc_result_t dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval) { isc_boolean_t existed; + if (peer == NULL) { + global_edns_status = newval; + return (ISC_R_SUCCESS); + } + REQUIRE(DNS_PEER_VALID(peer)); existed = DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags); @@ -364,9 +371,15 @@ isc_result_t dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval) { - REQUIRE(DNS_PEER_VALID(peer)); REQUIRE(retval != NULL); + if (peer == NULL) { + *retval = global_edns_status; + return (ISC_R_SUCCESS); + } + + REQUIRE(DNS_PEER_VALID(peer)); + if (DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags)) { *retval = peer->support_edns; return (ISC_R_SUCCESS); diff -uNr bind9-9.3.1/lib/dns/resolver.c bind9-edns/lib/dns/resolver.c --- bind9-9.3.1/lib/dns/resolver.c 2005-02-09 00:59:44.000000000 +0100 +++ bind9-edns/lib/dns/resolver.c 2005-10-04 18:42:33.000000000 +0200 @@ -1202,7 +1202,6 @@ * and then inform the ADB for future use. */ if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 && - peer != NULL && dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS && !useedns) { diff -uNr bind9-9.3.1/lib/isccfg/namedconf.c bind9-edns/lib/isccfg/namedconf.c --- bind9-9.3.1/lib/isccfg/namedconf.c 2004-10-18 01:19:51.000000000 +0200 +++ bind9-edns/lib/isccfg/namedconf.c 2005-10-04 18:44:28.000000000 +0200 @@ -581,6 +581,7 @@ { "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK }, { "dump-file", &cfg_type_qstring, 0 }, + { "edns", &cfg_type_boolean, 0 }, { "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "files", &cfg_type_size, 0 }, { "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },