Again question about edns (like swupdl.adobe.com)

Mark Andrews marka at isc.org
Wed Oct 22 23:10:37 UTC 2014 

In message <000001cfede3$241ccca0$6c5665e0$@ids.it>, "IDS Submit" writes:
>
> Good morning,
>
> with www.acer.it I have the same problem as swupdl.adobe.com
>
> NXDOMAIN with bind 9.10 but NOERROR with Google DNS
>
> I have read the Mark Andrews reply on july 4 2014:
>
> ------------------------------------------------------------------
>
> It looks like nameserver vendors are not doing even rudimentry checks like
> those above.  DiG has thos options so that we could perform checks like
> these.
>
> Until Adobe fix their broken servers you can use a server clause to
> disable sending SIT requests to them.  Obviously this does not scale.
>
>       server <address> { request-sit no; };
>
> Mark
>
> ------------------------------------------------------------------
>
> But this doesn't solve the problem on others domains .
>
> . should be possible enable "request-sit no" for all domains and not
> manually add it?

You can turn it off globally.  request-sit is actually documented.

> Because I think there are lot of domains with this problem L

Servers returning NXDOMAIN to unknown EDNS options don't even raise
a blip in the EDNS compliance testing I've been doing.  They are
extremely rare which is why I suggested the server clause then
complaining.

The only reason you notice them is that they cause operational
problems for you, not because they are common.  This is a normal
psychological reaction.

Dropping the query, formerr, badvers are much more common (multiple
percentage points) and unless the zone is signed these just slow
down rather than prevent the resolution in BIND 9.10.1.  There is
only so much trial and error one can do to get a response.

NXDOMAIN would show up as a "status" in the various "Unknown Option
Failure Reasons" graphs of which there were exactly 3 servers on
the 2014-10-21 run, none of which returned NXDOMAIN on examination.

The test script which generates the graphs reference below has been
updated to differentiate NXDOMAIN responses.

http://users.isc.org/~marka/ts.html

Mark

> ------------------------------------------------------------------
>
> \Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it
>
> ; <<>> DiG 9.10.1 <<>> @81.174.15.142 www.acer.it
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42228
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.acer.it.                   IN      A
>
> ;; ANSWER SECTION:
> www.acer.it.            300     IN      CNAME public-akamai.gtm.acer.com.
>
> ;; AUTHORITY SECTION:
> gtm.acer.com.           60      IN      SOA     gtm1.acer.com.  hostmaster.gtm1.acer.com. 482 10800 3600 604800 60
>
> ;; Query time: 572 msec
> ;; SERVER: 81.174.15.142#53(81.174.15.142)
> ;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014
> ;; MSG SIZE  rcvd: 132
>
> ------------------------------------------------------------------
>
>
>
>
>
> ------------------------------------------------------------------
>
> \Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it
>
>
>
> ; <<>> DiG 9.10.1 <<>> @8.8.8.8 www.acer.it
>
> ; (1 server found)
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34510
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 512
>
> ;; QUESTION SECTION:
>
> ;www.acer.it.                   IN      A
>
>
>
> ;; ANSWER SECTION:
>
> www.acer.it.            281     IN      CNAME
> public-akamai.gtm.acer.com.
>
> public-akamai.gtm.acer.com. 11  IN      CNAME
> www.acer.com.edgesuite.net.
>
> www.acer.com.edgesuite.net. 12306 IN    CNAME   a492.b.akamai.net.
>
> a492.b.akamai.net.      19      IN      A       88.149.196.137
>
> a492.b.akamai.net.      19      IN      A       88.149.196.145
>
>
>
> ;; Query time: 60 msec
>
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>
> ;; WHEN: Wed Oct 22 12:14:02 ora legale Europa occidentale 2014
>
> ;; MSG SIZE  rcvd: 180
>
> ------------------------------------------------------------------
>
>
>
> Thanks in advance and best regards
>
>
>
> Staff IDS
>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list