Problem looking up domain dryfire.com
Mark Andrews
marka at isc.org
Fri Aug 19 06:34:57 UTC 2016
In message <9f949ee6-6386-c986-698e-e4a46e6cfafb at thelounge.net>, Reindl Harald
writes:
> Am 16.08.2016 um 11:04 schrieb Eivind Olsen:
> > I'm seeing some odd problems where BIND (9.10.4-P2) has issues resolving
> > getsurfed.com. This is when using the "510 Software Group" BIND 9.10 for
> > RHEL/CentOS/Fedora.
>
> why do you use a 3rd party package?
>
> no problem here with bind-9.10.4-1.P2.fc24.x86_64 from the Fedora repos
Presumably bind-9.10.4-1.P2.fc24.x86_64 doesn't have DNS COOKIE
support enabled or you would be seeing these diagnostic messages.
BIND 9.11 has DNS COOKIE support on by default. DiG also has it
turned on. If you go to https://ednscomp.isc.org/compliance/summary.html
you can see how authoritative server support is improving for unknown
EDNS options. That page tracks all EDNS extension methods.
The point of writing RFC's is to avoid issues like this. RFC 6891
is clear about how a nameserver handles unknown EDNS versions and
unknown EDNS options. This server doesn't handle either event
properly. It's predecessor, RFC 2671, was also completely clear
about handling unknown EDNS versions. One of the changes between
RFC 2671 and RFC 6891 was to clarify unknown EDNS option handling.
ISC has a online EDNS compliance tester <https://ednscomp.isc.org/ednscomp>.
You can point it at any zone to test how the servers behave. Below
is the output for dryfire.com.
Mark
Checking: 'dryfire.com' as at 2016-08-19T06:10:51Z
dryfire.com @213.162.97.177 (dns0.getsurfed.com.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=status,nosoa edns1opt=status do=ok ednsflags=ok edns at 512tcp=timeout optlist=status,nosoa
dryfire.com @213.162.97.178 (dns1.getsurfed.com.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=status,nosoa edns1opt=status do=ok ednsflags=ok edns at 512tcp=timeout optlist=status,nosoa
The Following Tests Failed
EDNS - Unknown Version Handling (edns1)
dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use
EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format
EDNS - Unknown Version with Unknown Option Handling (edns1opt)
dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891
EDNS - over TCP Response (edns at 512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891
EDNS - Supported Options Probe (optlist)
dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891
Codes
ok - test passed.
nosoa - SOA record not found when expected.
status - expected rcode status code not found.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/85c5dc541f
> > I can do manual lookups of the domain with "dig" and point it to their
> > servers (dns0.getsurfed.com, dns1.getsurfed.com) but it fails for me if
> > I go through my BIND installation.
> >
> > The named.run log contains lines like this:
> >
> > 16-Aug-2016 10:48:40.693 lame-servers: info: 17 unexpected RCODE
> > resolving 'dryfire.com/NS/IN': 213.162.97.178#53
> > 16-Aug-2016 10:48:40.749 lame-servers: info: 17 unexpected RCODE
> > resolving 'dryfire.com/NS/IN': 213.162.97.177#53
> >
> > A search for "17 unexpected RCODE" seems to indicate this might be
> > caused by incompatibility between SIT/DNS cookies and older versions of
> > NSD. Is this also what's happening in my case here?
>
> ;; ANSWER SECTION:
> dryfire.com. 21600 IN A 109.109.232.98
>
> ;; ANSWER SECTION:
> dryfire.com. 21595 IN NS dns0.getsurfed.com.
> dryfire.com. 21595 IN NS dns1.getsurfed.com.
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list