I was looking at the DNS servers I admin last week and noticed, among other things, the following error message showing up frequently in the system logs:
Feb 23 10:23:08 baltimore named[14105]: [ID 873579 daemon.info] \ edns-disabled: info: too many timeouts resolving \ '171.221.32.207.sbl.spamhaus.org/TXT' \ (in 'sbl.spamhaus.org'?): disabling EDNS
This looks like a problem that should be fixed. I googled this error message and 9 out of 10 replies to people asking how to deal with this error was (and I’m paraphrasing)
“Oh just ignore it, and here’s how to configure logging to not log those errors”
WTF? How about some helpful information about why this is happening and how to fix it? Or more information why it is happening so a person can be informed about what is happening and the root causes.
here is a posting from Mark Williamson the bind-users mailing list that does provide some useful information that can be used to made an informed decision if you want to disable logging these events:
"disabling EDNS" is issued when named experiences too many timeouts to EDNS queries and named decides to give up on EDNS and revert to plain old DNS. Now timeouts can be the result of many things. Broken nameservers that don't respond to EDNS queries. Firewalls that block EDNS queries. Firewalls that block fragmented responses. Firewalls/NATs that don't handle out of order fragments. Timeouts can also be due to other network problems including unreachable servers. If you are getting lots of these then you do have network / firewall problems. They may however *not* be caused by EDNS. The message has the symptom "too many timeouts", what it was trying to do "resolving 'ns.cmmail.com/AAAA' (in 'cmmail.com'?)" and what named doing "disabling EDNS" to try to rectify the problem.
based on that information I think I will be disabling these messages.