<div dir="auto"><div>As a previous ISP admin I too have come across similar situations and frustrations.<div dir="auto"><br></div><div dir="auto">I can only say that Google and Cloudflare seem to follow Postel's Law moreso than BIND.</div><div dir="auto"><br></div><div dir="auto">I agree this perpetuates bad practices but end users aren't interested in technical reasoning, especially when "it works everywhere else, you must be broken"</div><div dir="auto"><br></div><div dir="auto">Paul</div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Oct 28, 2023, 3:56 PM Rick Frey <<a href="mailto:gribnut@gmail.com">gribnut@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-break:after-white-space">As Mark mentions, the NS records <a href="http://gtm.bankeasy.com" target="_blank" rel="noreferrer">gtm.bankeasy.com</a> need to be corrected and failure is not due to lack of iterating through all auth nameservers (all of the auth nameservers have the bad NS record anyway). <div><br></div><div>Not sure how many other domains you are running into similar problem, but you could disable qname-minimization in 9.18 to mimic previous behavior of 9.16 if that number is large. I believe qname-minimization is a global directive so it would remove privacy benefits of QNAME minimization for all recursive queries from your nameserver. </div><div><br></div><div>As DNS admin of another ISP, I sympathize dealing with failures caused by non-compliant authoritative nameservers. These non-compliant auth nameservers can have little motivation to fix, especially when other large ISPs or public resolvers (looking at you Google and Cloudflare) don’t enforce DNS standards. Many non-compliant nameservers/records would be cleaned up if public/centralized DNS providers such as Google/Cloudflare would enforce since it would inflict those failures on a much larger user base.</div><div><br></div><div> - Rick</div><div><br></div><div><br id="m_-913250445141378736lineBreakAtBeginningOfMessage"><div><br><blockquote type="cite"><div>On Oct 27, 2023, at 6:31 PM, Mark Andrews <<a href="mailto:marka@isc.org" target="_blank" rel="noreferrer">marka@isc.org</a>> wrote:</div><br><div><div><br><br>Named now uses NS lookups to perform QNAME minimisation. If one puts garbage in the NS<br>records then they should expect lookups to fail. The NS records on both sides of a zone<br>cut are supposed to be IDENTICAL. This is not a new requirement. It has been this way<br>since the very beginning.<br><br>The bank needs to fix what they publish.<br><br>Mark<br><br><blockquote type="cite">On 28 Oct 2023, at 02:36, Michael Martinell via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a>> wrote:<br><br>Hello,<br> At this point I am hoping that somebody might have a workaround so that we can exclude domains from this behavior if they are broken on the far end. Does anybody have a workaround for this?<br> We are a small ISP and run BIND compiled from source. We currently run 9.16.x<br>Every time we try to move forward with 9.18 customers start to complain that they are unable to reach certain websites. This includes banks, universities, and other organizations.<br> I understand the goal is to get all DNS to RFC 6891, but from a practical standpoint, this isn’t working for customers, so we are prevented from upgrading either.<br> Related website:<br><a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/3152" target="_blank" rel="noreferrer">https://gitlab.isc.org/isc-projects/bind9/-/issues/3152</a><br> Our source code compile options:<br>./configure --with-gnu-ld --with-libxml2 --with-json-c --with-openssl=/usr/local/openssl && make && make install && ldconfig<br><br><br><br>Interstate Telecommunications Coop., Inc.<br>312 4th Street West • Clear Lake, SD 57226<br>Phone: (605) 874-8313<br><a href="mailto:michael.martinell@itccoop.com" target="_blank" rel="noreferrer">michael.martinell@itccoop.com</a><br><a href="http://www.itc-web.com" target="_blank" rel="noreferrer">www.itc-web.com</a><br></blockquote><br></div></div></blockquote></div><br></div></div>-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div></div>