domain-unable-resolve

Mark Andrews marka at isc.org
Thu Feb 9 09:00:17 UTC 2017 

In message <9adb101d282a6$ac1699b0$0443cd10$@cyberia.net.sa>, "Ejaz" writes:
> 
> Helo,
> 
> Time to time we are having problem in resolving some domains, one of them is
> "abudawood.com" we unable to resolve through our DNS servers of
> "ns10.cyberia.net.sa" where I  have latest bind version and all, what could
> be the issue and what is the best way to trouble shoot.

The nameservers for abudawood.com are broken.

ns1.abudawood.com incorrectly returns FORMERR to queries which
contain a DNS COOKIE irrespective of the EDNS version field.  This
behaviour in not compliant with either the initial EDNS specification
nor the revised EDNS specification.

ns2.abudawood.com appears to be a old Microsoft DNS server which
fails to respond to EDNS queries after the first one.  Failure to
respond to consistently to DNS queries breaks recovery from packet
loss.

Both these servers need to be replaced with ones that are RFC compliant.

EDNS Compliance Tester

Checking: 'abudawood.com.' as at 2017-02-09T08:37:05Z

abudawood.com. @212.118.102.2 (ns1.abudawood.com.): edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,badversion,echoed do=ok ednsflags=ok docookie=formerr,nosoa,echoed edns at 512tcp=ok optlist=formerr,nosoa,subnet

abudawood.com. @212.118.102.3 (ns2.abudawood.com.): edns=timeout edns1=timeout edns at 512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout docookie=timeout edns at 512tcp=status,noopt optlist=timeout
The Following Tests Failed

Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.

Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this were you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.

Plain EDNS (edns)

This is the style of the initial query that BIND 9.0.x sends.

dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891

EDNS - Unknown Version Handling (edns1)

dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use

EDNS - Truncated Response (edns at 512)

dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes
See RFC6891, 7. Transport Considerations

EDNS - Unknown Option Handling (ednsopt)

dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format

EDNS - Unknown Version with Unknown Option Handling (edns1opt)

dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891

EDNS - DNSSEC (do)

This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x sends.

dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225

EDNS - Unknown Flag Handling (ednsflags)

dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags

EDNS - DNSSEC with DNS COOKIE Option (docookie)

This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4 Windows onwards send.

dig +cookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225, RFC6891, and RFC7873.

EDNS - over TCP Response (edns at 512tcp)

dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891

EDNS - Supported Options Probe (optlist)

dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891

Codes

ok - test passed.
subnet - EDNS Client Subnet supported [RFC7871].
noopt - OPT record not found when expected.
nosoa - SOA record not found when expected.
echoed - EDNS option echoed back.
status - expected rcode status code not found.
formerr - rcode FORMERR returned.
badversion - expected EDNS version not found.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/f60adf3942


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list