nested CNAMEs resolution failures?

Mark Andrews marka at
Mon Jan 29 18:29:09 UTC 2018

There really aren’t a lot of servers that return a bad enough answer to warrant turning off cookies globally.  After years of using cookies I have ~20 servers listed in named.conf. 

Most of the erroneous responses are benign. FORMERR and BADVERS are a nonissue unless the zone is signed. Echoing back the cookie option is also benign, it doesn’t even impact with DNSSEC.  These sorts of errors are also going way over time as broken servers are replaced.

Then there is the occasional badly configured backing zone on load balancers which just needs error reports to be sent.

See for measurements on EDNS compliance.
Mark Andrews

> On 30 Jan 2018, at 03:59, Tony Finch <dot at> wrote:
> Matus UHLAR - fantomas <uhlar at> wrote:
>>> On 29.01.18 15:08, Tony Finch wrote:
>>> Yes, there's a bootstrapping problem here ... possibly the easiest way to
>>> avoid depending on a server that sends cookies when reconfiguring it not
>>> to send cookies, is to point the script at In my setup the script
>>> runs in a dev environment generating a static file that is deployed to
>>> production, but it's effectively the same trick of making the script use a
>>> different DNS server.
>> this way you just delegate your problem at 3rd-party (although google)
>> servers.
> No, it's just an occasional query for the purpose of reconfiguring your
> server. If you don't have an independent dev environment, you could
> alternatively configure your server with cookies off globally, run the
> script, then reconfigure it with just the selective nocookie bad list.
> Tony.
> -- 
> f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
> Hebrides, Bailey: West, backing southwest, 6 to gale 8. Rough or very rough.
> Rain or showers. Good, occasionally moderate.
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list