<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000">Hi Mark,</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000">The workaround works very well, i also got the same response from Daniel of Switch.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#000000">Thank you very much!</div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-family:Arial"><font color="#0b5394" size="2"><b>Wil</b></font></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 6, 2019 at 3:52 PM Mark Andrews <<a href="mailto:marka@isc.org">marka@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The DNS servers for <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a> are *broken* which<br>
is what <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a> points to. They do not respond to<br>
queries with EDNS options present and named sends a DNS COOKIE EDNS option<br>
by default.<br>
<br>
You can work around this by specifying<br>
<br>
server 157.83.102.245 { send-cookie no; };<br>
<br>
and similarly for all the other IP addresses of the GLB but the real fix<br>
is for Barclays to deploy RFC compliant DNS servers. Their servers nominally<br>
support EDNS and unknown EDNS options are supposed to be ignored, not cause<br>
the query to be dropped.<br>
<br>
% dig <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a> +nocookie @<a href="http://157.83.102.245" rel="noreferrer" target="_blank">157.83.102.245</a><br>
<br>
; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a> +nocookie @<a href="http://157.83.102.245" rel="noreferrer" target="_blank">157.83.102.245</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62156<br>
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
;; QUESTION SECTION:<br>
;<a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a>. IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a>. 30 IN A 157.83.124.48<br>
<br>
;; Query time: 356 msec<br>
;; SERVER: 157.83.102.245#53(157.83.102.245)<br>
;; WHEN: Wed Nov 06 18:49:20 AEDT 2019<br>
;; MSG SIZE rcvd: 79<br>
<br>
% dig <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a> @<a href="http://157.83.102.245" rel="noreferrer" target="_blank">157.83.102.245</a><br>
<br>
; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a> @<a href="http://157.83.102.245" rel="noreferrer" target="_blank">157.83.102.245</a><br>
;; global options: +cmd<br>
;; connection timed out; no servers could be reached<br>
<br>
[beetle:~/git/bind9] marka% dig <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a> +nocookie @<a href="http://157.83.102.245" rel="noreferrer" target="_blank">157.83.102.245</a><br>
<br>
; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> <a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a> +nocookie @<a href="http://157.83.102.245" rel="noreferrer" target="_blank">157.83.102.245</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20094<br>
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
;; QUESTION SECTION:<br>
;<a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a>. IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://federate-secure.glbaa.barclays.com" rel="noreferrer" target="_blank">federate-secure.glbaa.barclays.com</a>. 30 IN A 157.83.124.48<br>
<br>
;; Query time: 383 msec<br>
;; SERVER: 157.83.102.245#53(157.83.102.245)<br>
;; WHEN: Wed Nov 06 18:50:19 AEDT 2019<br>
;; MSG SIZE rcvd: 79<br>
<br>
% <br>
<br>
<br>
> On 6 Nov 2019, at 18:32, Wilfred Sarmiento via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> wrote:<br>
> <br>
> Hi Bind Users,<br>
> <br>
> Anyone have a similar issue we are encountering with the subdomain of Barclays.com specifically <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a><br>
> Our cache server could not resolve the said subdomain, but was able to resolve their root domain <a href="http://barclays.com" rel="noreferrer" target="_blank">barclays.com</a> and any other known domains. <br>
> Debug just showed below little details of logs. <br>
> That subdomain was resolvable using Google DNS and other OpenDNS.<br>
> <br>
> client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query: <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a> IN A + (x.x.x.x)<br>
> client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852 (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query: <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a> IN A + (x.x.x.x)<br>
> client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query failed (timed out) for <a href="http://federate.secure.barclays.com/IN/A" rel="noreferrer" target="_blank">federate.secure.barclays.com/IN/A</a> at query.c:6786<br>
> client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query: <a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a> IN A + (x.x.x.x)<br>
> client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (<a href="http://federate.secure.barclays.com" rel="noreferrer" target="_blank">federate.secure.barclays.com</a>): query failed (timed out) for <a href="http://federate.secure.barclays.com/IN/A" rel="noreferrer" target="_blank">federate.secure.barclays.com/IN/A</a> at query.c:6786<br>
> <br>
> Thank you,<br>
> Wil<br>
> <br>
> <br>
> This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.<br>
> <br>
> _______________________________________________<br>
> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
-- <br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
<br>
</blockquote></div>
<br>
<div>This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.</div><div><br></div>