No. Treating no response as anything other than packet loss leads to lookups failing when it is packet loss.
Mark -- Mark Andrews > On 16 Jun 2019, at 23:10, Sebastian Arcus <s.ar...@open-t.co.uk> wrote: > > >> On 16/06/19 12:37, Mark Andrews wrote: >> The servers for this zone are broken, they do not respond to queries with DNS >> COOKIE options present. You can add server options to named.conf to work >> around >> this while Barclays fix their servers / firewalls. Modern recursive servers >> are >> no longer working around broken servers that do not respond to queries. See >> DNS flag day. It looks like Barclays ignored the messages. >> e.g. server 157.83.102.245 { send-cookie false; }; > > Thank you for that - that is very helpful. Is there a named.conf option to > leave the cookie support turned on, but for Bind to retry a query without > cookies if it fails with cookies attached? > > > >> % dig federate-secure.glbaa.barclays.com @ns21.barclays.com +nocookie >> ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com >> +nocookie >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47102 >> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> ;; WARNING: recursion requested but not available >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;federate-secure.glbaa.barclays.com. IN A >> ;; ANSWER SECTION: >> federate-secure.glbaa.barclays.com. 30 IN A 157.83.96.50 >> ;; Query time: 491 msec >> ;; SERVER: 157.83.102.245#53() >> ;; WHEN: Sun Jun 16 21:03:48 AEST 2019 >> ;; MSG SIZE rcvd: 79 >> % dig federate-secure.glbaa.barclays.com @ns21.barclays.com >> ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com >> ;; global options: +cmd >> ;; connection timed out; no servers could be reached >> % >>> On 16 Jun 2019, at 6:43 pm, Sebastian Arcus <s.ar...@open-t.co.uk> wrote: >>> >>> I have discovered Friday that the following domain used by Barclays bank in >>> UK doesn't resolve properly - but only on some of my servers running Bind: >>> >>> federate-secure.glbaa.barclays.com >>> >>> It works on a server with v9.12.3, but it fails on a server with v9.11.0 >>> and another one with v9.14.2. However, I don't think that the Bind version >>> has anything to do with it. All servers are recursive servers. >>> >>> It also resolves fine if I point to Google dns servers. >>> >>> I've ran tests on the domain above using the MX Toolbox dns checker >>> (mxtoolbox.com), and it fails with the following errors: >>> >>> 3 ns22.barclays.net 157.83.102.246 TIMED-OUT 518 ms , rcode=NO_DATA >>> 3 ns21.barclays.com 157.83.102.245 TIMED-OUT 509 ms , rcode=NO_DATA >>> 3 ns23.barclays.com 157.83.126.245 TIMED-OUT 504 ms , rcode=NO_DATA >>> 3 ns24.barclays.net 157.83.126.246 TIMED-OUT 517 ms , rcode=NO_DATA >>> >>> I've had to temporarily disable and bypass the local Bind instance on this >>> server and point to Google dns, as users couldn't use online banking from >>> Barclays because of the issue above. >>> >>> Does anybody have any idea why would it work on some servers and with >>> Google dns, but not on other servers with Bind? Also, would someone mind >>> trying to resolve the above domain at their end and see if they get the >>> same errors please. >>> >>> Any suggestions appreciated. Thank you. >>> _______________________________________________ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users