In message <9adb101d282a6$ac1699b0$0443cd10$@cyberia.net.sa>, "Ejaz" writes: > > Helo, > > Time to time we are having problem in resolving some domains, one of them is > "abudawood.com" we unable to resolve through our DNS servers of > "ns10.cyberia.net.sa" where I have latest bind version and all, what could > be the issue and what is the best way to trouble shoot.
The nameservers for abudawood.com are broken. ns1.abudawood.com incorrectly returns FORMERR to queries which contain a DNS COOKIE irrespective of the EDNS version field. This behaviour in not compliant with either the initial EDNS specification nor the revised EDNS specification. ns2.abudawood.com appears to be a old Microsoft DNS server which fails to respond to EDNS queries after the first one. Failure to respond to consistently to DNS queries breaks recovery from packet loss. Both these servers need to be replaced with ones that are RFC compliant. EDNS Compliance Tester Checking: 'abudawood.com.' as at 2017-02-09T08:37:05Z abudawood.com. @212.118.102.2 (ns1.abudawood.com.): edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,badversion,echoed do=ok ednsflags=ok docookie=formerr,nosoa,echoed edns@512tcp=ok optlist=formerr,nosoa,subnet abudawood.com. @212.118.102.3 (ns2.abudawood.com.): edns=timeout edns1=timeout edns@512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout docookie=timeout edns@512tcp=status,noopt optlist=timeout The Following Tests Failed Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary. Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this were you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back. Plain EDNS (edns) This is the style of the initial query that BIND 9.0.x sends. dig +nocookie +norec +noad +edns=0 soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: EDNS over IPv6 See RFC6891 EDNS - Unknown Version Handling (edns1) dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA See RFC6891, 6.1.3. OPT Record TTL Field Use EDNS - Truncated Response (edns@512) dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server expect: NOERROR expect: OPT record with version set to 0 expect: UDP DNS message size to be less than or equal to 512 bytes See RFC6891, 7. Transport Considerations EDNS - Unknown Option Handling (ednsopt) dig +nocookie +norec +noad +ednsopt=100 soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: that the option will not be present in response See RFC6891, 6.1.2 Wire Format EDNS - Unknown Version with Unknown Option Handling (edns1opt) dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server expect: BADVERS expect: OPT record with version set to 0 expect: not to see SOA expect: that the option will not be present in response See RFC6891 EDNS - DNSSEC (do) This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x sends. dig +nocookie +norec +noad +dnssec soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: DO flag in response if RRSIG is present in response See RFC3225 EDNS - Unknown Flag Handling (ednsflags) dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: Z bits to be clear in response See RFC6891, 6.1.4 Flags EDNS - DNSSEC with DNS COOKIE Option (docookie) This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4 Windows onwards send. dig +cookie +norec +noad +dnssec soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: DO flag in response if RRSIG is present in response See RFC3225, RFC6891, and RFC7873. EDNS - over TCP Response (edns@512tcp) dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server expect: NOERROR expect: OPT record with version set to 0 See RFC5966 and See RFC6891 EDNS - Supported Options Probe (optlist) dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server expect: NOERROR expect: OPT record with version set to 0 See RFC6891 Codes ok - test passed. subnet - EDNS Client Subnet supported [RFC7871]. noopt - OPT record not found when expected. nosoa - SOA record not found when expected. echoed - EDNS option echoed back. status - expected rcode status code not found. formerr - rcode FORMERR returned. badversion - expected EDNS version not found. timeout - lookup timed out. To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/f60adf3942 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
