nested CNAMEs resolution failures?
Mark Andrews
marka at isc.org
Mon Jan 29 18:29:09 UTC 2018
There really aren’t a lot of servers that return a bad enough answer to warrant turning off cookies globally. After years of using cookies I have ~20 servers listed in named.conf.
Most of the erroneous responses are benign. FORMERR and BADVERS are a nonissue unless the zone is signed. Echoing back the cookie option is also benign, it doesn’t even impact with DNSSEC. These sorts of errors are also going way over time as broken servers are replaced.
Then there is the occasional badly configured backing zone on load balancers which just needs error reports to be sent.
See https://ednscomp.isc.org/ for measurements on EDNS compliance.
--
Mark Andrews
> On 30 Jan 2018, at 03:59, Tony Finch <dot at dotat.at> wrote:
>
> Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>>> On 29.01.18 15:08, Tony Finch wrote:
>>> Yes, there's a bootstrapping problem here ... possibly the easiest way to
>>> avoid depending on a server that sends cookies when reconfiguring it not
>>> to send cookies, is to point the script at 8.8.8.8. In my setup the script
>>> runs in a dev environment generating a static file that is deployed to
>>> production, but it's effectively the same trick of making the script use a
>>> different DNS server.
>>
>> this way you just delegate your problem at 3rd-party (although google)
>> servers.
>
> No, it's just an occasional query for the purpose of reconfiguring your
> server. If you don't have an independent dev environment, you could
> alternatively configure your server with cookies off globally, run the
> script, then reconfigure it with just the selective nocookie bad list.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
> Hebrides, Bailey: West, backing southwest, 6 to gale 8. Rough or very rough.
> Rain or showers. Good, occasionally moderate.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list