Re: 9.11 can't validate sss.gov

Mark Andrews Fri, 19 Jan 2018 15:12:02 -0800

Yes, qwest were informed years ago that there severs are broken. Report this to 
the .gov site operators.  The servers return BADVERS to the queries which was 
never part of the EDNS spec and is a invention of the servers developers. 
FORMERR was permissible by STD13  but this was tightened when the EDNS spec was 
revised to say ignore unknown EDNS options.


-- 
Mark Andrews

> On 20 Jan 2018, at 03:39, Tony Finch <d...@dotat.at> wrote:
> 
> Timothy A. Holtzen <t...@nebrwesleyan.edu> wrote:
> 
>> I've run into an odd problem.  On the same host with nearly identical
>> configurations.  Bind 9.10.6 can resolve and DNSSEC validate sss.gov but
>> Bind 9.11.2 cannot.
> 
> Ah, this is because sss.gov is hosted on Qwest's DNS servers that have
> broken EDNS logic which is incompatible with DNS cookies.
> 
> I have a short script (quoted below) which generates a blacklist of broken
> servers which is included in my `named.conf`.
> 
> The number of problem reports I've received is mercifully small - Qwest
> are the worst cookie offenders.
> 
> ########################################################################
> 
> #!/bin/sh
> 
> set -eu
> 
> noedns=roles/named/files/named.conf.noedns
> 
> : >$noedns
> 
> # qwest - bea.gov
> # barclays - myapplication.international.barclays.com
> 
> for s in        sauthns1.qwest.net. \
>                sauthns2.qwest.net. \
>                ns21.barclays.com. \
>                ns22.barclays.net. \
>                ns23.barclays.com. \
>                ns24.barclays.net.
> do
>        dig +noall +nottl +noclass +answer $s a $s aaaa
> done |
> sort |
> while   read s t a
> do      echo "server $a { send-cookie no; }; # $s"
> done    >>$noedns
> 
> ########################################################################
> 
> Tony.
> -- 
> f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Cyclonic 4 or 5,
> occasionally 6 in Hebrides, Bailey and Southeast Iceland. Moderate or rough,
> occasionally very rough in Hebrides and Bailey. Wintry showers. Good,
> occasionally poor.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.11 can't validate sss.gov

Reply via email to