In message <4b0243b1-1c89-023b-f3f3-7279216d5...@thelounge.net>, Reindl Harald writes: > > > Am 07.02.2017 um 22:11 schrieb Mark Andrews: > > In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Har > ald wr > > ites: > >>> Break them. That's the only way it will eventually get fixed > >> > >> if things would be that easy.... > >> > >> the admins of the broken servers ar the very last which are affected, > >> admins with a recent named have to bite the bullet of user terror and > >> users typically don#t give a damn when it worked yesterday > >> > >> the admins of the broken server don't give a damn about as long they can > >> point their fingers and say "look, the rest of the world has no lookup > >> errors" > >> > >> if it would be that easy the problem of spam would not exist for many > >> years while in reality you waste most of our time to write exceptions > >> here and there, disable rules or score them lower because you are not in > >> the position to educate every admin of sending servers out there > > > > You go over the admins head. You go to the board of directors. > > You go the the minister responsible (yes, I have had to do that > > along with a copy to the shadow minister and the company that the > > DNS was outsourced to for government domains). Good old snail mail > > if *you* do that from your position it may work but still takes time in > a world where it somestimes takes days and weeks to find somebody who > can instruct a admin to change a simple CNAME record from machine A to > machine B even with the directors OK and CC'ed in the message
And you can fix the issue by hand while this is going on. server 74.113.204.34 { send-cookie false; }; server 74.113.206.34 { send-cookie false; }; server 117.56.91.203 { send-cookie false; }; server 117.56.91.204 { send-cookie false; }; server 117.56.91.234 { send-cookie false; }; server 199.252/16 { send-cookie false; }; (or request-sit no; for 9.10.x) There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE. The big numbers are those that drop EDNS(1) which no one is using at this stage. See http://ednscomp.isc.org/ > i doubt it works the same way for a ordinary admin in a small company > where you to make it work because *you* broke it with the named update > and so your advise will be "roll back that stuff to the state of > yesterday where it worked and no you have not the free time to call each > and every company and educate them" > > problem here is that as long it's not a critical mass anybody who > deployed the update breaking things have to bleed for it and so you have > to find enough people with the power to go over admins head *before* the > breaking updates > > and no, when in your company people can't work because DNS is broken you > don't call foreign admins and directors - you have to fix that *now* and > after you have fixed it you have no longer arumgents why call somebody > with no direct relations > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users