Moin,
I am currently setting up a couple of test systems. Part of that is running DNS queries with EDNS0=4096.
With unbound, if i configure EDNS0=4096, there will e a retry with EDNS0=1232 if the EDNS0=4096 query fails. Is there any easy way to make unbound stop doing that (other than a custom firewall fnord that drops packets with EDNS0=1232?)
I know that this is, in general, not a sensible request. 
But there are reasons for it. 
With best regards,
Tobias
Hey Tobias,
Not an easy way to do that.
By quickly looking at the code I assume this is IPv6/UDP?
If you compile from source the least hacky way would be to change the values at around unbound/services/outside_network.h at 8ada1bd88d2bc406c7a674d0e949ef5c63d648bd · NLnetLabs/unbound · GitHub and let them be the same or higher as the configured edns-buffer-size: 4096 in your case.
There may still be another retry without EDNS in some cases IIRC but I haven’t checked further atm.
There may still be another retry without EDNS in some cases IIRC but I
haven’t checked further atm.
I thought this fallback was removed after DNS Flag Day? Are you saying
Unbound still kept it?
The fallback because of timeouts is out. But based on the answer Unbound may decide to try without EDNS.
Ah sure, fallback if the response is FORMERR needs to stay. Thank you
for clarifying.
Thanks! Kind of makes sense. Have to see how to move that into my automation (currently running multiple unbound instances for multiple cases (tcp only, udp only etc.) and they all come from the same pkg.
With best regards,
Tobias