What do +EDC and other letters I see in my query log mean?


This is documented in the BIND Administrator Reference Manual (which you'll find both on our website and in the BIND source code tarball):


Look for the section that deals with logging categories, and specifically at category queries:

The query log entry first reports a client object identifier in @0x<hexadecimal-number> format. Next, it reports the client's IP address and port number, and the query name, class and type.  Next, it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in used along with the EDNS version number (E(#)), if TCP was used (T), if DO(DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if a valid DNS Server COOKIE was received (V), or if a DNS COOKIE option without a valid Server COOKIE was present (K).  After this the destination address the query was sent to is reported.

Note: This reflects BIND 9.11.0 behaviour.

+EDC on a query indicates that it is:

  • Recursive (+) - it has come from a client or a server that is forwarding queries to your server
  • The sender is using EDNS0 (using larger UDP packet sizes and signalling the size that can be accepted)
  • The sender understands DNSSEC (D) - this is a request to your server to include any DNSSEC material associated with answer in the query reply.
  • DNSSEC validation checking is disabled (C) - the sender wants the answer anyway, even if the validation checks fail.