No. Treating no response as anything other than packet loss leads to lookups
failing when it is packet loss.
Mark
--
Mark Andrews
> On 16 Jun 2019, at 23:10, Sebastian Arcus <s.ar...@open-t.co.uk> wrote:
>
>
>> On 16/06/19 12:37, Mark Andrews wrote:
>> The servers for this zone are broken, they do not respond to queries with DNS
>> COOKIE options present. You can add server options to named.conf to work
>> around
>> this while Barclays fix their servers / firewalls. Modern recursive servers
>> are
>> no longer working around broken servers that do not respond to queries. See
>> DNS flag day. It looks like Barclays ignored the messages.
>> e.g. server 157.83.102.245 { send-cookie false; };
>
> Thank you for that - that is very helpful. Is there a named.conf option to
> leave the cookie support turned on, but for Bind to retry a query without
> cookies if it fails with cookies attached?
>
>
>
>> % dig federate-secure.glbaa.barclays.com @ns21.barclays.com +nocookie
>> ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com
>> +nocookie
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47102
>> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;federate-secure.glbaa.barclays.com. IN A
>> ;; ANSWER SECTION:
>> federate-secure.glbaa.barclays.com. 30 IN A 157.83.96.50
>> ;; Query time: 491 msec
>> ;; SERVER: 157.83.102.245#53()
>> ;; WHEN: Sun Jun 16 21:03:48 AEST 2019
>> ;; MSG SIZE rcvd: 79
>> % dig federate-secure.glbaa.barclays.com @ns21.barclays.com
>> ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>> %
>>> On 16 Jun 2019, at 6:43 pm, Sebastian Arcus <s.ar...@open-t.co.uk> wrote:
>>>
>>> I have discovered Friday that the following domain used by Barclays bank in
>>> UK doesn't resolve properly - but only on some of my servers running Bind:
>>>
>>> federate-secure.glbaa.barclays.com
>>>
>>> It works on a server with v9.12.3, but it fails on a server with v9.11.0
>>> and another one with v9.14.2. However, I don't think that the Bind version
>>> has anything to do with it. All servers are recursive servers.
>>>
>>> It also resolves fine if I point to Google dns servers.
>>>
>>> I've ran tests on the domain above using the MX Toolbox dns checker
>>> (mxtoolbox.com), and it fails with the following errors:
>>>
>>> 3 ns22.barclays.net 157.83.102.246 TIMED-OUT 518 ms , rcode=NO_DATA
>>> 3 ns21.barclays.com 157.83.102.245 TIMED-OUT 509 ms , rcode=NO_DATA
>>> 3 ns23.barclays.com 157.83.126.245 TIMED-OUT 504 ms , rcode=NO_DATA
>>> 3 ns24.barclays.net 157.83.126.246 TIMED-OUT 517 ms , rcode=NO_DATA
>>>
>>> I've had to temporarily disable and bypass the local Bind instance on this
>>> server and point to Google dns, as users couldn't use online banking from
>>> Barclays because of the issue above.
>>>
>>> Does anybody have any idea why would it work on some servers and with
>>> Google dns, but not on other servers with Bind? Also, would someone mind
>>> trying to resolve the above domain at their end and see if they get the
>>> same errors please.
>>>
>>> Any suggestions appreciated. Thank you.
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
