odbc.ucas.com lookup problem
Kevin Darcy
kcd at chrysler.com
Tue Jul 20 19:33:28 UTC 2010
On 7/20/2010 1:41 PM, Tony Finch wrote:
> On Tue, 20 Jul 2010, Kevin Darcy wrote:
>
>> It seems that UCAS is just proxying non-A queries from its load-balancers back
>> to its regular nameservers.
>>
> No, the load balancers are simply braindamaged. Try SOA or NS or TXT
> queries and you get a timeout.
>
The contents of the ucas.com SOA record they return in their negative
reply doesn't match up with what the authoritative servers return, so
it's anyone's guess where that's coming from -- a stale "shadow" version
of the zone, an *internal* version of the zone (which if true
would/should raise security concerns), something statically configured
into the load-balancers themselves, who knows?
I was trying to give them the benefit of the doubt as to a
misconfiguration of their devices, but I'm starting to agree with you
that this is simply YABLI (Yet Another Braindamaged Load-balancer
Implementation).
Timing out on non-A/non-AAAA queries is of course reprehensible, but
what's even worse is the sending of spurious NXDOMAINs in response to
"unexpected" QTYPEs, under certain configurations of a particular make
of load-balancer. That's a DoS waiting to happen. Fortunately the vendor
in question there recognizes the problem and is working on a fix for it.
- Kevin
More information about the bind-users
mailing list