[Opendnssec-user] Thanks

Havard Eidnes he at uninett.no
Mon Sep 2 09:29:22 UTC 2019

>>> server {
>>> 	keys { opendnssec-out; };
>>> 	edns no;
>>> };
>> Oh, this is trying to mix "modern BIND" with OpenDNSSEC?
>> This could then be an instance related to
>>   https://issues.opendnssec.org/browse/SUPPORT-242
>> which is OpenDNSSEC which fails to skip over the cookie option
>> newer BIND now sends.
> It's BIND 9.11.9-RedHat-9.11.9-1.fc30 with a self compiled opendnssec
> version 2.1.4.

Hm, I can't remember off-hand whether BIND 9.11 sends cookie
option or not...  Looks like it got enabled by default in that
version, ref.: https://kb.isc.org/docs/aa-01387

> Are there any recommendations for a "modern" replacement for opendnssec?

Nope, sorry, this appears to be an as yet unsolved problem in
OpenDNSSEC.  My issue was reported against version 1.4.13, but
the same bug appears to be present in 2.1.4, and by the looks of
it, the patch submitted in the bug report looks like it'll apply
to 2.1.4 as well.

For now running with "edns no;" is a suitable workaround.


- Håvard

More information about the Opendnssec-user mailing list