FYI: adobe.com GSLB DNS servers choking on "nsid"
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jan 13 12:49:37 UTC 2015
On 13/01/15 12:39, Phil Mayers wrote:
> On 13/01/15 12:37, Anand Buddhdev wrote:
>> On 13/01/15 13:27, Phil Mayers wrote:
>>
>>> Just to save anyone else the trouble, I've just found that some of the
>>> GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
>>
>> It's not just NSID. They're responding with NXDOMAIN if you send any
>> EDNS option they don't understand, so it's the same with the EXPIRE and
>> SUBNET options as well.
>
> Yeah, I just found that. Turns out we're getting caught out because we
> have "sit" enabled (accidentally).
>
> This must be recent(-ish) though; we've been on 9.10 since December and
> only just had the report.
>
Just found another; dns{0,1}.getsurfed.com are returning crazy error
codes with "nsid" (and presumably other) edns options:
# dig +norec +nsid @213.162.97.177 www.london-nano.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: ?17, id: 21450
Sigh...
I'd advise strongly against people enabling "sit" in 9.10 right now...
More information about the bind-users
mailing list