bind 9.11, cookes by default

Carl Byington carl at byington.org
Wed Nov 16 18:38:35 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Now that bind is sending cookies by default, there are some broken
servers out there that we need to configure with send-cookie no;.

Unless I am missing something, 9.11.0-P1 will (by default) fail to
resolve names like airdownload.wip4.adobe.com.

In the interest of publicly naming and shaming their operators, I will
add an "include /etc/named.broken.servers" file in my packaging. The
content so far is below. Send me a note if you run into any others.


// adobe servers that don't understand edns options
// dig wip4.adobe.com ns
// dig airdownload.wip4.adobe.com @192.150.16.247   +cookie ==> nxdomain
// dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror
server 192.150.16.247   { send-cookie no; };
server 192.150.19.247   { send-cookie no; };
server 193.104.215.247  { send-cookie no; };



// eia.gov servers that don't understand edns options
// dig eia.gov ns
// dig phantom.eia.gov. @205.254.135.9   +cookie => formerr
// dig phantom.eia.gov. @205.254.135.9 +nocookie => noerror
server 205.254.135.9    { send-cookie no; };
server 199.36.140.199   { send-cookie no; };



// lctcs.edu servers that don't understand edns options
// dig lctcs.edu ns
// dig www.lctcs.edu @76.165.120.16   +cookie => formerr
// dig www.lctcs.edu @76.165.120.16 +nocookie => noerror
server 76.165.120.16    { send-cookie no; };
server 76.165.210.249   { send-cookie no; };



// london-nano.com servers that don't understand edns options
// dig london-nano.com ns
// dig www.london-nano.com @213.162.97.177   +cookie
// dig www.london-nano.com @213.162.97.177 +nocookie
server 213.162.97.177   { send-cookie no; };
server 213.162.97.178   { send-cookie no; };



// etdbw.com servers that don't understand edns options
(www.mycoverageinfo.com)
// dig www.mycoverageinfo.gtm.etdbw.com. +trace
// dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7   +cookie =>
noerror, 0 answers
// dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +nocookie =>
noerror, 1 answer
server 167.79.45.7      { send-cookie no; };
server 167.79.182.7     { send-cookie no; };
server 167.79.186.7     { send-cookie no; };
server 167.79.192.7     { send-cookie no; };

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlgsp6AACgkQL6j7milTFsF5VACfXxKp+HLNNX7fczr4xF4qT4LP
UCIAn3h4WPC2QZ21+gYnSuECG3t2nwEQ
=22tF
-----END PGP SIGNATURE-----




More information about the bind-users mailing list