No.  Treating no response as anything other than packet loss leads to lookups 
failing when it is packet loss.

Mark

-- 
Mark Andrews

> On 16 Jun 2019, at 23:10, Sebastian Arcus <s.ar...@open-t.co.uk> wrote:
> 
> 
>> On 16/06/19 12:37, Mark Andrews wrote:
>> The servers for this zone are broken, they do not respond to queries with DNS
>> COOKIE options present.  You can add server options to named.conf to work 
>> around
>> this while Barclays fix their servers / firewalls.  Modern recursive servers 
>> are
>> no longer working around broken servers that do not respond to queries.  See
>> DNS flag day.  It looks like Barclays ignored the messages.
>> e.g.    server 157.83.102.245 { send-cookie false; };
> 
> Thank you for that - that is very helpful. Is there a named.conf option to 
> leave the cookie support turned on, but for Bind to retry a query without 
> cookies if it fails with cookies attached?
> 
> 
> 
>> % dig federate-secure.glbaa.barclays.com @ns21.barclays.com +nocookie
>> ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com 
>> +nocookie
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47102
>> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;federate-secure.glbaa.barclays.com. IN    A
>> ;; ANSWER SECTION:
>> federate-secure.glbaa.barclays.com. 30 IN A    157.83.96.50
>> ;; Query time: 491 msec
>> ;; SERVER: 157.83.102.245#53()
>> ;; WHEN: Sun Jun 16 21:03:48 AEST 2019
>> ;; MSG SIZE  rcvd: 79
>> % dig federate-secure.glbaa.barclays.com @ns21.barclays.com
>> ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>> %
>>> On 16 Jun 2019, at 6:43 pm, Sebastian Arcus <s.ar...@open-t.co.uk> wrote:
>>> 
>>> I have discovered Friday that the following domain used by Barclays bank in 
>>> UK doesn't resolve properly - but only on some of my servers running Bind:
>>> 
>>> federate-secure.glbaa.barclays.com
>>> 
>>> It works on a server with v9.12.3, but it fails on a server with v9.11.0 
>>> and another one with v9.14.2. However, I don't think that the Bind version 
>>> has anything to do with it. All servers are recursive servers.
>>> 
>>> It also resolves fine if I point to Google dns servers.
>>> 
>>> I've ran tests on the domain above using the MX Toolbox dns checker 
>>> (mxtoolbox.com), and it fails with the following errors:
>>> 
>>> 3  ns22.barclays.net  157.83.102.246  TIMED-OUT  518 ms  , rcode=NO_DATA
>>> 3  ns21.barclays.com  157.83.102.245  TIMED-OUT  509 ms  , rcode=NO_DATA
>>> 3  ns23.barclays.com  157.83.126.245  TIMED-OUT  504 ms  , rcode=NO_DATA
>>> 3  ns24.barclays.net  157.83.126.246  TIMED-OUT  517 ms  , rcode=NO_DATA
>>> 
>>> I've had to temporarily disable and bypass the local Bind instance on this 
>>> server and point to Google dns, as users couldn't use online banking from 
>>> Barclays because of the issue above.
>>> 
>>> Does anybody have any idea why would it work on some servers and with 
>>> Google dns, but not on other servers with Bind? Also, would someone mind 
>>> trying to resolve the above domain at their end and see if they get the 
>>> same errors please.
>>> 
>>> Any suggestions appreciated. Thank you.
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to