9.11 can't validate sss.gov

Mark Andrews marka at isc.org
Fri Jan 19 23:04:58 UTC 2018 

Yes, qwest were informed years ago that there severs are broken. Report this to the .gov site operators.  The servers return BADVERS to the queries which was never part of the EDNS spec and is a invention of the servers developers. FORMERR was permissible by STD13  but this was tightened when the EDNS spec was revised to say ignore unknown EDNS options. 

-- 
Mark Andrews

> On 20 Jan 2018, at 03:39, Tony Finch <dot at dotat.at> wrote:
> 
> Timothy A. Holtzen <tah at NebrWesleyan.edu> wrote:
> 
>> I've run into an odd problem.  On the same host with nearly identical
>> configurations.  Bind 9.10.6 can resolve and DNSSEC validate sss.gov but
>> Bind 9.11.2 cannot.
> 
> Ah, this is because sss.gov is hosted on Qwest's DNS servers that have
> broken EDNS logic which is incompatible with DNS cookies.
> 
> I have a short script (quoted below) which generates a blacklist of broken
> servers which is included in my `named.conf`.
> 
> The number of problem reports I've received is mercifully small - Qwest
> are the worst cookie offenders.
> 
> ########################################################################
> 
> #!/bin/sh
> 
> set -eu
> 
> noedns=roles/named/files/named.conf.noedns
> 
> : >$noedns
> 
> # qwest - bea.gov
> # barclays - myapplication.international.barclays.com
> 
> for s in        sauthns1.qwest.net. \
>                sauthns2.qwest.net. \
>                ns21.barclays.com. \
>                ns22.barclays.net. \
>                ns23.barclays.com. \
>                ns24.barclays.net.
> do
>        dig +noall +nottl +noclass +answer $s a $s aaaa
> done |
> sort |
> while   read s t a
> do      echo "server $a { send-cookie no; }; # $s"
> done    >>$noedns
> 
> ########################################################################
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Cyclonic 4 or 5,
> occasionally 6 in Hebrides, Bailey and Southeast Iceland. Moderate or rough,
> occasionally very rough in Hebrides and Bailey. Wintry showers. Good,
> occasionally poor.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list