Problem looking up domain dryfire.com
Mark Andrews
marka at isc.org
Tue Aug 16 11:13:06 UTC 2016
The nameservers are broken. They send back rcode 17 (which is yet
to be assigned) when they see a query with a EDNS option present
rather than ignore the option as required by RFC 6891. They also
send back RCODE 17 rather than BADVERS (16) when send a EDNS(1)
query. The servers also don't answer over TCP which is a third issue.
The operators should contact their nameserver vendor for a fix or
otherwise replace them.
EDNS compliance test results for dryfire.com can be found at
https://ednscomp.isc.org/ednscomp/210f3a1e3e
You can work around this in the short term by adding server clauses
for the servers to tell named to not send EDNS COOKIES to them.
This of course does not scale.
server <prefix> { request-sit no; }; 9.10.x
servet <prefix> { send-cookie no; }; 9.11.0 onwards
Mark
; <<>> DiG 9.11.0b3 <<>> +dnssec dryfire.com ns @213.162.97.178
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: ?17, id: 29228
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 440 msec
;; SERVER: 213.162.97.178#53(213.162.97.178)
;; WHEN: Tue Aug 16 20:58:42 EST 2016
;; MSG SIZE rcvd: 23
; <<>> DiG 9.11.0b3 <<>> +dnssec dryfire.com ns @213.162.97.178 +nocookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49671
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dryfire.com. IN NS
;; ANSWER SECTION:
dryfire.com. 21600 IN NS dns0.getsurfed.com.
dryfire.com. 21600 IN NS dns1.getsurfed.com.
;; Query time: 367 msec
;; SERVER: 213.162.97.178#53(213.162.97.178)
;; WHEN: Tue Aug 16 20:59:37 EST 2016
;; MSG SIZE rcvd: 88
; <<>> DiG 9.11.0b3 <<>> +dnssec dryfire.com ns @213.162.97.178 +nocookie +edns=1 +noednsneg
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: ?17, id: 8994
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 541 msec
;; SERVER: 213.162.97.178#53(213.162.97.178)
;; WHEN: Tue Aug 16 21:06:13 EST 2016
;; MSG SIZE rcvd: 23
In message <9634ef8af31f19965c5c3b2db3f98b58 at gluping.no>, Eivind Olsen writes:
> Hello.
>
> I'm seeing some odd problems where BIND (9.10.4-P2) has issues resolving
> getsurfed.com. This is when using the "510 Software Group" BIND 9.10 for
> RHEL/CentOS/Fedora.
>
> I can do manual lookups of the domain with "dig" and point it to their
> servers (dns0.getsurfed.com, dns1.getsurfed.com) but it fails for me if
> I go through my BIND installation.
>
> The named.run log contains lines like this:
>
> 16-Aug-2016 10:48:40.693 lame-servers: info: 17 unexpected RCODE
> resolving 'dryfire.com/NS/IN': 213.162.97.178#53
> 16-Aug-2016 10:48:40.749 lame-servers: info: 17 unexpected RCODE
> resolving 'dryfire.com/NS/IN': 213.162.97.177#53
>
> A search for "17 unexpected RCODE" seems to indicate this might be
> caused by incompatibility between SIT/DNS cookies and older versions of
> NSD. Is this also what's happening in my case here?
>
> Regards
> Eivind Olsen
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list