In message <9f949ee6-6386-c986-698e-e4a46e6cf...@thelounge.net>, Reindl Harald writes: > Am 16.08.2016 um 11:04 schrieb Eivind Olsen: > > I'm seeing some odd problems where BIND (9.10.4-P2) has issues resolving > > getsurfed.com. This is when using the "510 Software Group" BIND 9.10 for > > RHEL/CentOS/Fedora. > > why do you use a 3rd party package? > > no problem here with bind-9.10.4-1.P2.fc24.x86_64 from the Fedora repos
Presumably bind-9.10.4-1.P2.fc24.x86_64 doesn't have DNS COOKIE support enabled or you would be seeing these diagnostic messages. BIND 9.11 has DNS COOKIE support on by default. DiG also has it turned on. If you go to https://ednscomp.isc.org/compliance/summary.html you can see how authoritative server support is improving for unknown EDNS options. That page tracks all EDNS extension methods. The point of writing RFC's is to avoid issues like this. RFC 6891 is clear about how a nameserver handles unknown EDNS versions and unknown EDNS options. This server doesn't handle either event properly. It's predecessor, RFC 2671, was also completely clear about handling unknown EDNS versions. One of the changes between RFC 2671 and RFC 6891 was to clarify unknown EDNS option handling. ISC has a online EDNS compliance tester <https://ednscomp.isc.org/ednscomp>. You can point it at any zone to test how the servers behave. Below is the output for dryfire.com. Mark Checking: 'dryfire.com' as at 2016-08-19T06:10:51Z dryfire.com @213.162.97.177 (dns0.getsurfed.com.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=status,nosoa edns1opt=status do=ok ednsflags=ok edns@512tcp=timeout optlist=status,nosoa dryfire.com @213.162.97.178 (dns1.getsurfed.com.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=status,nosoa edns1opt=status do=ok ednsflags=ok edns@512tcp=timeout optlist=status,nosoa The Following Tests Failed EDNS - Unknown Version Handling (edns1) dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA See RFC6891, 6.1.3. OPT Record TTL Field Use EDNS - Unknown Option Handling (ednsopt) dig +nocookie +norec +noad +ednsopt=100 soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: that the option will not be present in response See RFC6891, 6.1.2 Wire Format EDNS - Unknown Version with Unknown Option Handling (edns1opt) dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA expect: that the option will not be present in response See RFC6891 EDNS - over TCP Response (edns@512tcp) dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server expect: NOERROR expect: OPT record with version set to 0 See RFC5966 and See RFC6891 EDNS - Supported Options Probe (optlist) dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server expect: NOERROR expect: OPT record with version set to 0 See RFC6891 Codes ok - test passed. nosoa - SOA record not found when expected. status - expected rcode status code not found. timeout - lookup timed out. To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/85c5dc541f > > I can do manual lookups of the domain with "dig" and point it to their > > servers (dns0.getsurfed.com, dns1.getsurfed.com) but it fails for me if > > I go through my BIND installation. > > > > The named.run log contains lines like this: > > > > 16-Aug-2016 10:48:40.693 lame-servers: info: 17 unexpected RCODE > > resolving 'dryfire.com/NS/IN': 213.162.97.178#53 > > 16-Aug-2016 10:48:40.749 lame-servers: info: 17 unexpected RCODE > > resolving 'dryfire.com/NS/IN': 213.162.97.177#53 > > > > A search for "17 unexpected RCODE" seems to indicate this might be > > caused by incompatibility between SIT/DNS cookies and older versions of > > NSD. Is this also what's happening in my case here? > > ;; ANSWER SECTION: > dryfire.com. 21600 IN A 109.109.232.98 > > ;; ANSWER SECTION: > dryfire.com. 21595 IN NS dns0.getsurfed.com. > dryfire.com. 21595 IN NS dns1.getsurfed.com. > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
