recursive resolver, 9.9.7 works, not 9.10.x

Mark Andrews marka at isc.org
Thu Apr 23 20:56:13 UTC 2015 

The nameservers for umea.se are broken.  BIND 9.10.x Windows does
SIT by default.  The correct EDNS behaviour for a server that does
not understand a EDNS option is to *ignore* the option.

Add the following to named.conf to temporarially work around the
broken server.

        server 193.254.4.46 { request-sit no; };
        server 2a00:1718:1:8::46 { request-sit no; };
        server 193.254.4.34 { request-sit no; };
        server 2a00:1718:1:8::34 { request-sit no; };

Doing this does not scale.

As this zone is both signed and has broken servers that return
FORMERR named ends up falling back to plain DNS due to the FORMERR
and that results in DNSSEC validation failing.

.SE has high number of DNSSEC validated zones so it would be useful
if .SE audited the delegated servers for correct behaviour wnen a
EDNS extension is in the query (unknown EDNS option, unknown EDNS
verion, unknown EDNS flag) and then informed the operators of said
servers that they need to FIX THEM.  I already have scripts that
can do the testing if people want them.

It isn't impossible to get rid of broken authoritative servers. It
just takes a little bit of will to do the tests and to send out
notices that people have broken servers.

See http://users.isc.org/~marka/summary.html for some data on EDNS
compliance.

See http://tools.ietf.org/html/draft-andrews-dns-no-response-issue-07
for discussion on the issue.

Mark

rock:~/git/bind9] marka% dig www.umea.se @193.254.4.46

; <<>> DiG 9.11.0pre-alpha <<>> www.umea.se @193.254.4.46
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40130
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.umea.se.			IN	A

;; ANSWER SECTION:
www.umea.se.		176400	IN	CNAME	wwwumea.net.umea.se.
wwwumea.net.umea.se.	176400	IN	A	193.254.4.31

;; Query time: 544 msec
;; SERVER: 193.254.4.46#53(193.254.4.46)
;; WHEN: Fri Apr 24 06:32:10 EST 2015
;; MSG SIZE  rcvd: 82

[rock:~/git/bind9] marka% dig www.umea.se @193.254.4.46 +sit

; <<>> DiG 9.11.0pre-alpha <<>> www.umea.se @193.254.4.46 +sit
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 28819
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; SIT: 7c867c16a681fd9e (good)
;; QUESTION SECTION:
;www.umea.se.			IN	A

;; Query time: 361 msec
;; SERVER: 193.254.4.46#53(193.254.4.46)
;; WHEN: Fri Apr 24 06:32:16 EST 2015
;; MSG SIZE  rcvd: 52

[rock:~/git/bind9] marka% 


In message <55391CA0.4090009 at abundo.se>, =?UTF-8?B?QW5kZXJzIEzDtndpbmdlcg==?= w
rites:
> This is a multi-part message in MIME format.
> --===============3348732876510367356==
> Content-Type: multipart/alternative;
>  boundary="------------050109020707060508030607"
> 
> This is a multi-part message in MIME format.
> --------------050109020707060508030607
> Content-Type: text/plain; charset=utf-8
> Content-Transfer-Encoding: 8bit
> 
> Hi
> 
> I'm troubleshooting a strange problem. Customer uses bind 9.10.1 as a recursi
> ve resolver and they cannot resolve some domains.
> 
> Platform is windows server 2012, 64-bit
> 
> I've installed 9.9.7, 9.10.1 and 9.10.2 in my lab, only 9.9.7 can resolve ume
> a.se, I used the exact same configuration in all three.
> 
> With 9.10.x i get "dnssec: info: validating umea.se/SOA: got insecure respons
> e; parent indicates it should be secure" in the log
> 
> These validates the umea.se domain as ok:
> 
>   * http://dnscheck.iis.se/?time=1429805786&id=4683492&view=basic&test=standa
> rd
>   * http://dnssec-debugger.verisignlabs.com/umea.se#
>   * http://zonemaster.se/test/8675
> 
> 
> This one flags some errors, there are two expired and one valid RRSIG for the
>  SOA
> 
>   * http://dnsviz.net/d/umea.se/dnssec/
> 
> 
> 
> Any tips on how to resolve this? (downgrade to 9.9.7 or is there any other so
> lution?)
> 
> 
> Thanks
> Anders Löwinger, Abundo AB, +46 72 206 0322
> 
> 
> --------------050109020707060508030607
> Content-Type: text/html; charset=utf-8
> Content-Transfer-Encoding: 8bit
> 
> <html>
>   <head>
> 
>     <meta http-equiv="content-type" content="text/html; charset=utf-8">
>   </head>
>   <body bgcolor="#FFFFFF" text="#000000">
>     Hi<br>
>     <br>
>     I'm troubleshooting a strange problem. Customer uses bind 9.10.1 as
>     a recursive resolver and they cannot resolve some domains.<br>
>     <br>
>     Platform is windows server 2012, 64-bit<br>
>     <br>
>     I've installed 9.9.7, 9.10.1 and 9.10.2 in my lab, only 9.9.7 can
>     resolve umea.se, I used the exact same configuration in all three.<br>
>     <br>
>     With 9.10.x i get "dnssec: info: validating umea.se/SOA: got
>     insecure response; parent indicates it should be secure" in the log<br>
>     <br>
>     These validates the umea.se domain as ok:<br>
>     <ul>
>       <li><a class="moz-txt-link-freetext" href="http://dnscheck.iis.se/?time
> =1429805786&id=4683492&view=basic&test=standard">http://dnscheck.
> iis.se/?time=1429805786&id=4683492&view=basic&test=standard</a><b
> r>
>       </li>
>       <li><a class="moz-txt-link-freetext" href="http://dnssec-debugger.veris
> ignlabs.com/umea.se#">http://dnssec-debugger.verisignlabs.com/umea.se#</a></l
> i>
>       <li><a class="moz-txt-link-freetext" href="http://zonemaster.se/test/86
> 75">http://zonemaster.se/test/8675</a><br>
>       </li>
>     </ul>
>     <br>
>     This one flags some errors, there are two expired and one valid
>     RRSIG for the SOA<br>
>     <ul>
>       <li><a class="moz-txt-link-freetext" href="http://dnsviz.net/d/umea.se/
> dnssec/">http://dnsviz.net/d/umea.se/dnssec/</a></li>
>     </ul>
>     <br>
>     <br>
>     Any tips on how to resolve this? (downgrade to 9.9.7 or is there any
>     other solution?)<br>
>     <br>
>     <br>
>     Thanks<br>
>     Anders Löwinger, Abundo AB, +46 72 206 0322<br>
>     <br>
>   </body>
> </html>
> 
> --------------050109020707060508030607--
> 
> --===============3348732876510367356==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============3348732876510367356==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list