A couple of regression problems between 9.11.7 and 9.14.2

Borja Marcos borjam at sarenet.es
Wed Jun 5 12:35:12 UTC 2019


Hi,

I’ve been trying bind 9.14.2 and I have noticed a couple of behavior differences between 9.11 and 9.14.

Problem 1:

I had a problem resolving the rigol.com domain. Looking at packet captures and comparing I saw that the
authoritative servers for rigol.com were ignoring packets with a cookie option.

On 9.14 the operation got stuck when sending a query to 140.205.81.61, 140.205.81.62, 140.205.228.61 and
140.205.228.62.

My server was sending a query with a cookie, timing out after several retries and returning a SERVFAIL.
I tried to disable cookies and this time it worked. Looks like a misconfigured server is discarding DNS
queries with options it doesn’t understand. 

Disabling cookies on my server (send-cookie no) fixed it. Seems that the DNSSEC and EDNS option works.

With 9.11 the behavior is different. After several attemps without an answer it sends a query without EDNS options
that gets a reply.

Note that it’s not a simple case of rejecting queries with EDNS options. The offending name servers are
ignoring queries with the cookie option, not with “accept DNSSEC security RRs”. As long as the cookie is not
present they reply.

Anyway, 9.11 retries without options, 9.14 times out and returns a SERVFAIL. Is this intended?


Problem 2:

I also noticed that 9.14.2 is not resolving login.repsol.com A (returning SERVFAIL) while 9.11.7 does.

Seems to be a misconfiguration problem in some of the authoritative servers, yet 9.11 works and
9.14 SERVFAILs.

Is all of this part of a collective “DNS Flag Day”? ;) Or is it unintended?



Thanks!




Borja Marcos.




More information about the bind-users mailing list