odbc.ucas.com lookup problem

Kevin Darcy kcd at chrysler.com
Tue Jul 20 19:33:28 UTC 2010


On 7/20/2010 1:41 PM, Tony Finch wrote:
> On Tue, 20 Jul 2010, Kevin Darcy wrote:
>    
>> It seems that UCAS is just proxying non-A queries from its load-balancers back
>> to its regular nameservers.
>>      
> No, the load balancers are simply braindamaged. Try SOA or NS or TXT
> queries and you get a timeout.
>    

The contents of the ucas.com SOA record they return in their negative 
reply doesn't match up with what the authoritative servers return, so 
it's anyone's guess where that's coming from -- a stale "shadow" version 
of the zone, an *internal* version of the zone (which if true 
would/should raise security concerns), something statically configured 
into the load-balancers themselves, who knows?

I was trying to give them the benefit of the doubt as to a 
misconfiguration of their devices, but I'm starting to agree with you 
that this is simply YABLI (Yet Another Braindamaged Load-balancer 
Implementation).

Timing out on non-A/non-AAAA queries is of course reprehensible, but 
what's even worse is the sending of spurious NXDOMAINs in response to 
"unexpected" QTYPEs, under certain configurations of a particular make 
of load-balancer. That's a DoS waiting to happen. Fortunately the vendor 
in question there recognizes the problem and is working on a fix for it.

                                                                         
                                                                         
                                                     - Kevin





More information about the bind-users mailing list