On 7/20/2010 1:41 PM, Tony Finch wrote:
On Tue, 20 Jul 2010, Kevin Darcy wrote:
It seems that UCAS is just proxying non-A queries from its load-balancers back
to its regular nameservers.
No, the load balancers are simply braindamaged. Try SOA or NS or TXT
queries and you get a timeout.
The contents of the ucas.com SOA record they return in their negative
reply doesn't match up with what the authoritative servers return, so
it's anyone's guess where that's coming from -- a stale "shadow" version
of the zone, an *internal* version of the zone (which if true
would/should raise security concerns), something statically configured
into the load-balancers themselves, who knows?
I was trying to give them the benefit of the doubt as to a
misconfiguration of their devices, but I'm starting to agree with you
that this is simply YABLI (Yet Another Braindamaged Load-balancer
Implementation).
Timing out on non-A/non-AAAA queries is of course reprehensible, but
what's even worse is the sending of spurious NXDOMAINs in response to
"unexpected" QTYPEs, under certain configurations of a particular make
of load-balancer. That's a DoS waiting to happen. Fortunately the vendor
in question there recognizes the problem and is working on a fix for it.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
