unable to resolve *.irs.gov at local bind 9.12.0 server ?

Mark Andrews marka at isc.org
Sun Jan 28 01:01:28 UTC 2018 

Google’s servers don’t add EDNS options to the queries they make so they don’t see the bogus BADVERS  response from the servers.

BADVERS should never be returned to a EDNS version 0 query but these servers do when the see a EDNS option. There are also other servers that return BADVERS to any EDNS. query.  Named falls back to plain DNS when it sees BADVERS to a EDNS query. Unfortunately this doesn’t work when the zone is signed and the server is validating. 

-- 
Mark Andrews

> On 28 Jan 2018, at 09:28, PGNet Dev <pgnet.dev at gmail.com> wrote:
> 
>> On 1/27/18 1:36 PM, Rob Sargent wrote:
>> Just for grins, try adding these lines to your named.conf file [within the appropriate view] to see if that fixes it.  I had to add something like it to get usitc.gov working for my customers:
>>        server 152.216.7.164 { send-cookie no; }; # ns1.irs.gov
>>        server 152.216.7.165 { send-cookie no; }; # ns2.irs.gov
>>        server 152.216.11.132 { send-cookie no; }; # ns3.irs.gov
>>        server 152.216.11.133 { send-cookie no; }; # ns4.irs.gov
>> or whatever IP is failing.  Not sure if your port 53 traffic goes thru QWest but QWest is well known to be broken.
> 
> That did the trick!  All of *irs.gov now resolve at my server.
> 
> Re: "well known", alas, not by me 'til now.  So thx!
> 
> It appears, then, that the set of servers in my tests are all 'sensitive' to said brokenness.  I suppose if it's actual breakage, that's a good thing ...
> 
> Not clear to be why/how the 'big' NSs, e.g. Google, manage to avoid the problem.  Either they're INsensitive to the issue, or already have implemented a similar workaround?
> 
> Also, if it's well known wouldn't a QWest have been given notice of said probs?  Or are they in the DGAD camp?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list