Hi, I’ve been trying bind 9.14.2 and I have noticed a couple of behavior differences between 9.11 and 9.14.
Problem 1: I had a problem resolving the rigol.com domain. Looking at packet captures and comparing I saw that the authoritative servers for rigol.com were ignoring packets with a cookie option. On 9.14 the operation got stuck when sending a query to 140.205.81.61, 140.205.81.62, 140.205.228.61 and 140.205.228.62. My server was sending a query with a cookie, timing out after several retries and returning a SERVFAIL. I tried to disable cookies and this time it worked. Looks like a misconfigured server is discarding DNS queries with options it doesn’t understand. Disabling cookies on my server (send-cookie no) fixed it. Seems that the DNSSEC and EDNS option works. With 9.11 the behavior is different. After several attemps without an answer it sends a query without EDNS options that gets a reply. Note that it’s not a simple case of rejecting queries with EDNS options. The offending name servers are ignoring queries with the cookie option, not with “accept DNSSEC security RRs”. As long as the cookie is not present they reply. Anyway, 9.11 retries without options, 9.14 times out and returns a SERVFAIL. Is this intended? Problem 2: I also noticed that 9.14.2 is not resolving login.repsol.com A (returning SERVFAIL) while 9.11.7 does. Seems to be a misconfiguration problem in some of the authoritative servers, yet 9.11 works and 9.14 SERVFAILs. Is all of this part of a collective “DNS Flag Day”? ;) Or is it unintended? Thanks! Borja Marcos. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
