Both servers are broken. One fails to implement DNS COOKIE (RFC 7873)
correctly. Note that the "Client COOKIE mismatch" is reported. Named rejects
the response because the client cookie does not match that sent to the server.
The response looks like someone trying to spoof the response. The other is
lame (doesn’t serve the zone).
What should happen here is that the vendor of the nameserver running on
ns1.bitworks.net should fix their server and issue a advisory that their server
is broken and does not interoperate with servers sending DNS COOKIES to all
their customers. This will require BITWORKS.NET reporting the fault to their
vendor.
In the meantime you can stop named sending DNS COOKIE options to the server
with:
server 213.188.101.9 { send-cookie false; };
Mark
% dig dqb.info @ns1.bitworks.net +qr
; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> dqb.info @ns1.bitworks.net +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53280
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 14e8a45ea8077fb5
;; QUESTION SECTION:
;dqb.info. IN A
;; QUERY SIZE: 49
;; Warning: Client COOKIE mismatch
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53280
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ec01cc010200000001000000000000000000000000000000 (bad)
;; QUESTION SECTION:
;dqb.info. IN A
;; ANSWER SECTION:
dqb.info. 86400 IN A 178.250.160.91
;; AUTHORITY SECTION:
dqb.info. 86400 IN NS ns4.tmag.de.
dqb.info. 86400 IN NS ns1.bitworks.net.
;; ADDITIONAL SECTION:
ns1.bitworks.net. 300 IN A 213.188.101.9
;; Query time: 378 msec
;; SERVER: 213.188.101.9#53(213.188.101.9)
;; WHEN: Tue Jan 28 08:52:13 AEDT 2020
;; MSG SIZE rcvd: 152
%
% dig dqb.info @ns4.tmag.de
; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> dqb.info @ns4.tmag.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47126
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dqb.info. IN A
;; AUTHORITY SECTION:
info. 18657 IN NS a0.info.afilias-nst.info.
info. 18657 IN NS a2.info.afilias-nst.info.
info. 18657 IN NS b0.info.afilias-nst.org.
info. 18657 IN NS b2.info.afilias-nst.org.
info. 18657 IN NS c0.info.afilias-nst.info.
info. 18657 IN NS d0.info.afilias-nst.org.
;; ADDITIONAL SECTION:
a0.info.afilias-nst.info. 105080 IN AAAA 2001:500:19::1
a0.info.afilias-nst.info. 18680 IN A 199.254.31.1
a2.info.afilias-nst.info. 105080 IN AAAA 2001:500:41::1
a2.info.afilias-nst.info. 18680 IN A 199.249.113.1
b0.info.afilias-nst.org. 105080 IN A 199.254.48.1
b0.info.afilias-nst.org. 105080 IN AAAA 2001:500:1a::1
b2.info.afilias-nst.org. 105080 IN A 199.249.121.1
b2.info.afilias-nst.org. 105080 IN AAAA 2001:500:49::1
c0.info.afilias-nst.info. 105080 IN AAAA 2001:500:1b::1
c0.info.afilias-nst.info. 18680 IN A 199.254.49.1
d0.info.afilias-nst.org. 105080 IN A 199.254.50.1
d0.info.afilias-nst.org. 105080 IN AAAA 2001:500:1c::1
;; Query time: 322 msec
;; SERVER: 193.254.185.231#53(193.254.185.231)
;; WHEN: Tue Jan 28 08:47:20 AEDT 2020
;; MSG SIZE rcvd: 440
%
> On 28 Jan 2020, at 07:51, Stephan von Krawczynski <skraw...@ithnet.com> wrote:
>
> On Mon, 27 Jan 2020 16:36:42 +0100
> Anand Buddhdev <ana...@ripe.net> wrote:
>
>> On 27/01/2020 16:26, Stephan von Krawczynski wrote:
>>
>> Hi Stephan,
>>
>>> I would have expected that bind finds the domain by using the working
>>> nameserver and ignoring the dead one. But obviously it does not.
>>> Did I misconfigure something? I thought both nameservers should be
>>> questioned and the first working result be used, or not?
>>
>> Without knowing which domain it is, we can't even begin to guess at the
>> problem, because things in DNS could be broken in many different ways.
>>
>> I would advise you to reveal the problematic domain name, and you will
>> get help much faster.
>>
>> Regards,
>> Anand
>
> Hello Anand,
>
> the domain in question is "dqb.info".
> Please keep in mind, the domain is in no way related to me. I was just
> notified by access customers that we fail to deliver it.
>
> --
> Regards,
> Stephan
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
