BIND 9 recursive queries returning SERVFAIL for 'legit' domain

Mark Andrews marka at
Wed Jun 17 23:57:34 UTC 2020

> On 17 Jun 2020, at 18:45, Ian Springett <ian.springett at> wrote:
> Hi
> I have an issue with BIND 9.14.11 and recursive queries to one particular domain. DIG result is SERVFAIL and ‘bad cookie’ is logged in /var/log/messages & /var/log/
> The domain has two DNS servers behind a load balancer which is causing the bad cookie result. Would this in itself be enough to cause the SERVFAIL and if so is there a way to have exceptions for known ‘good’ domains?
> Rgds
> Ian 

Load balancers shouldn’t cause “bad cookie” (client cookie component not echoed back in the cookie response) as apposed to the BADCOOKIE rcode which can be caused by misconfigured shared secrets.  Named will handle the BADCOOKIE rcode switching to TCP if necessary.  “bad cookie” indicates a botched DNS COOKIE implementation in the server, a broken full answer cache mechanism that hasn’t considered that EDNS options modify responses, or someone is attempting to spoof a reply and is including a DNS COOKIE (named assumes this is the case and waits for the legitimate).

Ondrej’s suggestions are the way to go here.

> Ian Springett
> Hosted Services Engineer
> <image001.png>
> Giacom World Networks Ltd
> Tel: 0845 305 5577
> Fax: 01482 330194
> Email: ian.springett at
> Website:
> Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.
> Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email.
> Giacom World Networks Limited, Company No 03813447 Registered in England & Wales, Registered Office:  Bridge Haven One, Saxon Way, Priory Park, Hessle, East Yorkshire  HU13 9PG.
> _______________________________________________
> Please visit to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at for more information.
> bind-users mailing list
> bind-users at

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at

More information about the bind-users mailing list