<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000">Hi Daniel,</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000">The workaround works, does BIND 9.14 has a patch to resolve this? Since we have a multiple Cache server, we need to do this every time we encounter another domain that has this same issue.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000">Thank you!</div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-family:Arial"><font color="#0b5394" size="2"><b>Wil<br></b></font></span></div><div style="font-size:12.8px"><font color="#0b5394"><font size="2"><br></font></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 6, 2019 at 3:50 PM Daniel Stirnimann <<a href="mailto:daniel.stirnimann@switch.ch">daniel.stirnimann@switch.ch</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>. is a CNAME pointing to<br>
<a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a><br>
<br>
The authoritative name servers for <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a><br>
are broken:<br>
<br>
<a href="http://glbaa.barclays.com" rel="noreferrer" target="_blank">glbaa.barclays.com</a>.     900     IN      NS      <a href="http://ns24.barclays.net" rel="noreferrer" target="_blank">ns24.barclays.net</a>.<br>
<a href="http://glbaa.barclays.com" rel="noreferrer" target="_blank">glbaa.barclays.com</a>.     900     IN      NS      <a href="http://ns22.barclays.net" rel="noreferrer" target="_blank">ns22.barclays.net</a>.<br>
<a href="http://glbaa.barclays.com" rel="noreferrer" target="_blank">glbaa.barclays.com</a>.     900     IN      NS      <a href="http://ns23.barclays.com" rel="noreferrer" target="_blank">ns23.barclays.com</a>.<br>
<a href="http://glbaa.barclays.com" rel="noreferrer" target="_blank">glbaa.barclays.com</a>.     900     IN      NS      <a href="http://ns21.barclays.com" rel="noreferrer" target="_blank">ns21.barclays.com</a><br>
<br>
They only seem to respond to A, AAAA queries. Everything else times out.<br>
Queries with EDNS Cookies (RFC7873) timeout as well.<br>
<br>
You should be able to work around this by adding this to named.conf<br>
<br>
server 157.83.126.246 { send-cookie false; };<br>
server 157.83.102.246 { send-cookie false; };<br>
server 157.83.126.245 { send-cookie false; };<br>
server 157.83.102.245 { send-cookie false; };<br>
<br>
See also<br>
<a href="https://ftp.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#server_statement_grammar" rel="noreferrer" target="_blank">https://ftp.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#server_statement_grammar</a><br>
<br>
Daniel<br>
<br>
<br>
On 06.11.19 08:32, Wilfred Sarmiento via bind-users wrote:<br>
> Hi Bind Users,<br>
> <br>
> Anyone have a similar issue we are encountering with the subdomain of<br>
> Barclays.com specifically <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a><br>
> <<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">http://federate.secure.barclays.com</a>><br>
> Our cache server could not resolve the said subdomain, but was able to<br>
> resolve their root domain <a href="http://barclays.com" rel="noreferrer" target="_blank">barclays.com</a> <<a href="http://barclays.com" rel="noreferrer" target="_blank">http://barclays.com</a>> and any<br>
> other known domains. <br>
> Debug just showed below little details of logs. <br>
> That subdomain was resolvable using Google DNS and other OpenDNS.<br>
> <br>
> client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852<br>
> (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query: <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a> IN A<br>
> + (x.x.x.x)<br>
> <br>
> client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852<br>
> (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query: <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a> IN A<br>
> + (x.x.x.x)<br>
> <br>
> client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852<br>
> (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query failed (timed out) for<br>
> <a href="http://federate.secure.barclays.com/IN/A" rel="noreferrer" target="_blank">federate.secure.barclays.com/IN/A</a> at query.c:6786<br>
> <br>
> client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852<br>
> (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query: <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a> IN A<br>
> + (x.x.x.x)<br>
> <br>
> client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852<br>
> (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query failed (timed out) for<br>
> <a href="http://federate.secure.barclays.com/IN/A" rel="noreferrer" target="_blank">federate.secure.barclays.com/IN/A</a> at query.c:6786<br>
> <br>
> <br>
> Thank you,<br>
> *Wil<br>
> *<br>
> <br>
> <br>
> This e-mail message (including attachments, if any) is intended for the<br>
> use of the individual or the entity to whom it is addressed and may<br>
> contain information that is privileged, proprietary, confidential and<br>
> exempt from disclosure. If you are not the intended recipient, you are<br>
> notified that any dissemination, distribution or copying of this<br>
> communication is strictly prohibited. If you have received this<br>
> communication in error, please notify the sender and delete this E-mail<br>
> message immediately.<br>
> <br>
> <br>
> _______________________________________________<br>
> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
> <br>
</blockquote></div>

<br>
<div>This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.</div><div><br></div>