What do +EDC and other letters I see in my query log mean?
  • 05 Oct 2018
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

What do +EDC and other letters I see in my query log mean?

  • Dark
    Light
  • PDF

Article Summary

This is documented in the BIND Administrator Reference Manual (which you'll find both here in our Knowledgebase and in the BIND source code tarball).

Look for the section that deals with logging categories, and specifically at category queries:

The query log entry first reports a client object identifier in @0x<hexadecimal-number> format. Next, it reports the client's IP address and port number, and the query name, class and type. Next, it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in used along with the EDNS version number (E(#)), if TCP was used (T), if DO(DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if a valid DNS Server COOKIE was received (V), or if a DNS COOKIE option without a valid Server COOKIE was present (K). After this the destination address the query was sent to is reported.

Note: This reflects BIND 9.11.0 behaviour.

+EDC on a query indicates that it is:

  • Recursive (+) - it has come from a client or a server that is forwarding queries to your server.
  • The sender is using EDNS0 (using larger UDP packet sizes and signalling the size that can be accepted).
  • The sender understands DNSSEC (D) - this is a request to your server to include any DNSSEC material associated with answer in the query reply.
  • DNSSEC validation checking is disabled (C) - the sender wants the answer anyway, even if the validation checks fail.