<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">did you try writing to <a href="http://elbrev.com" class="">elbrev.com</a> operators to fix their servers to stop breaking DNS protocol? It often helps. (I'm ccing the contact in their SOA records, so let's see if anything happens.)</div><div class=""><br class=""></div><div class="">It's not lack of EDNS0 support, but they fail to properly process unknown EDNS0 options - DNS Cookie in this specific example:</div><div class=""><br class=""></div><div class=""><div class="">;; Got answer:</div><div class="">;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 57723</div><div class="">;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</div><div class=""><br class=""></div><div class="">;; OPT PSEUDOSECTION:</div><div class="">; EDNS: version: 0, flags:; udp: 1232</div><div class="">; COOKIE: ec9c994f850fe500 (echoed)</div><div class=""><br class=""></div><div class="">vs</div><div class=""><br class=""></div><div class="">ondrej@howl:~/Projects/bind9 (v9_18 $%=)$ bin/dig/dig +norec +noall +comments +nocookie <a href="http://bemacom.se" class="">bemacom.se</a> @dns1.elbrev.com</div><div class="">;; Got answer:</div><div class="">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16277</div><div class="">;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</div><div class=""><br class=""></div><div class="">;; OPT PSEUDOSECTION:</div><div class="">; EDNS: version: 0, flags:; udp: 4000</div></div><div class=""><br class=""></div><div class="">Their servers are clearly violating existing DNS standards: <a href="https://ednscomp.isc.org/ednscomp/11fd9e2e46" class="">https://ednscomp.isc.org/ednscomp/11fd9e2e46</a></div><div class=""><br class=""></div><div class=""><blockquote type="cite" class="">Of course I would prefer to upgrade back to 9.18.X, but I guess I won't be able to find all EDNS0 incompatible servers and loosing customers to 8.8.8.8 - which is able to resolve these names..</blockquote></div><div class=""><br class=""></div><div class="">This is kind of moot argument - the DNS needs to evolve, and it can't evolve if we keep supporting broken stuff. This needs to be fixed on the authoritative operator side, not in BIND 9.</div><div class=""><br class=""></div><div class="">Cheers,</div>Ondrej<br class=""><div class="">
<meta charset="UTF-8" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">--</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Ondřej Surý (He/Him)</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><a href="mailto:ondrej@isc.org" class="">ondrej@isc.org</a></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 20. 10. 2022, at 13:09, Andreas S. Kerber <<a href="mailto:ask@ag-trek.de" class="">ask@ag-trek.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">I've just finished upgrading our last resolver from 9.16 to 9.18.8 a few days ago.<br class="">As it turn out a number of zones are no longer resolveable with 9.18. Some nameservers out there don't seem to support EDNS0 and the number of FORMERR responses in our resolver logs went up quite a bit.  Here's an example:<br class=""><br class=""><br class="">zone <a href="http://bemacom.se" class="">bemacom.se</a> when querying a 9.18.8 resolver (status: SERVFAIL):<br class=""><br class=""># dig <a href="http://bemacom.se" class="">bemacom.se</a> @213.182.0.X<br class=""><br class="">; <<>> DiG 9.18.8 <<>> <a href="http://bemacom.se" class="">bemacom.se</a> @213.182.0.X<br class="">;; global options: +cmd<br class="">;; Got answer:<br class="">;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25874<br class=""><br class=""><br class="">zone <a href="http://bemacom.se" class="">bemacom.se</a> when querying a 9.16.34 resolver:<br class=""><br class=""># dig <a href="http://bemacom.se" class="">bemacom.se</a> @213.182.0.X<br class=""><br class="">; <<>> DiG 9.18.8 <<>> <a href="http://bemacom.se" class="">bemacom.se</a> @213.182.0.X<br class="">;; global options: +cmd<br class="">;; Got answer:<br class="">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5496<br class=""><br class=""><br class=""><br class="">The NS for <a href="http://bemacom.se" class="">bemacom.se</a> seem to be <a href="http://dnsX.elbrev.com" class="">dnsX.elbrev.com</a> and I'm seeing FORMERR messages in the BIND 9.18.8 logs:<br class=""><br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns2.elbrev.com/AAAA/IN':" class="">dns2.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns2.elbrev.com/AAAA/IN':" class="">dns2.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns2.elbrev.com/AAAA/IN':" class="">dns2.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns2.elbrev.com/AAAA/IN':" class="">dns2.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:43 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:47 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:47 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:47 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:47 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:51 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns2.elbrev.com/AAAA/IN':" class="">dns2.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:51 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:51 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:51 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns2.elbrev.com/AAAA/IN':" class="">dns2.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:55 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:55 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 92.33.14.98#53<br class="">Oct 20 12:46:55 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns1.elbrev.com/AAAA/IN':" class="">dns1.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class="">Oct 20 12:46:55 frontend1 named[2577193]: received FORMERR resolving '<a href="http://dns.elbrev.com/AAAA/IN':" class="">dns.elbrev.com/AAAA/IN':</a> 194.17.14.66#53<br class=""><br class=""><br class="">According to <a href="http://dnscheck.ripe.net" class="">dnscheck.ripe.net</a> the zones NS don't support EDNS0: <a href="https://dnscheck.ripe.net/result/93ee1d56756536dd" class="">https://dnscheck.ripe.net/result/93ee1d56756536dd</a><br class=""><br class="">I could manually fix this by adding those IP adresses with a server statement to named.conf like this: "server x.x.x.x { edns no; };"<br class="">Since this is only one a example of about 10 so far, I chose to downgrade one of my resolvers back to 9.16.X, to catch those faulty zones.<br class=""><br class="">Of course I would prefer to upgrade back to 9.18.X, but I guess I won't be able to find all EDNS0 incompatible servers and loosing customers to 8.8.8.8 - which is able to resolve these names..<br class=""><br class=""><br class=""><br class="">-- <br class="">Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" class="">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br class=""><br class="">ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" class="">https://www.isc.org/contact/</a> for more information.<br class=""><br class=""><br class="">bind-users mailing list<br class=""><a href="mailto:bind-users@lists.isc.org" class="">bind-users@lists.isc.org</a><br class="">https://lists.isc.org/mailman/listinfo/bind-users<br class=""></div></div></blockquote></div><br class=""></body></html>