Problem looking up domain dryfire.com

Mark Andrews marka at isc.org
Fri Aug 19 06:34:57 UTC 2016 

In message <9f949ee6-6386-c986-698e-e4a46e6cfafb at thelounge.net>, Reindl Harald 
writes:
> Am 16.08.2016 um 11:04 schrieb Eivind Olsen:
> > I'm seeing some odd problems where BIND (9.10.4-P2) has issues resolving
> > getsurfed.com. This is when using the "510 Software Group" BIND 9.10 for
> > RHEL/CentOS/Fedora.
>
> why do you use a 3rd party package?
>
> no problem here with bind-9.10.4-1.P2.fc24.x86_64 from the Fedora repos

Presumably bind-9.10.4-1.P2.fc24.x86_64 doesn't have DNS COOKIE
support enabled or you would be seeing these diagnostic messages.

BIND 9.11 has DNS COOKIE support on by default.  DiG also has it
turned on.  If you go to https://ednscomp.isc.org/compliance/summary.html
you can see how authoritative server support is improving for unknown
EDNS options.  That page tracks all EDNS extension methods.

The point of writing RFC's is to avoid issues like this.  RFC 6891
is clear about how a nameserver handles unknown EDNS versions and
unknown EDNS options.  This server doesn't handle either event
properly.  It's predecessor, RFC 2671, was also completely clear
about handling unknown EDNS versions.  One of the changes between
RFC 2671 and RFC 6891 was to clarify unknown EDNS option handling.

ISC has a online EDNS compliance tester <https://ednscomp.isc.org/ednscomp>.
You can point it at any zone to test how the servers behave.  Below
is the output for dryfire.com.

Mark

Checking: 'dryfire.com' as at 2016-08-19T06:10:51Z

dryfire.com @213.162.97.177 (dns0.getsurfed.com.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=status,nosoa edns1opt=status do=ok ednsflags=ok edns at 512tcp=timeout optlist=status,nosoa
dryfire.com @213.162.97.178 (dns1.getsurfed.com.): dns=ok edns=ok edns1=status edns at 512=ok ednsopt=status,nosoa edns1opt=status do=ok ednsflags=ok edns at 512tcp=timeout optlist=status,nosoa

The Following Tests Failed

EDNS - Unknown Version Handling (edns1)

dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use

EDNS - Unknown Option Handling (ednsopt)

dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format

EDNS - Unknown Version with Unknown Option Handling (edns1opt)

dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891

EDNS - over TCP Response (edns at 512tcp)

dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891

EDNS - Supported Options Probe (optlist)

dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891

Codes

ok - test passed.
nosoa - SOA record not found when expected.
status - expected rcode status code not found.
timeout - lookup timed out.

To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/85c5dc541f

> > I can do manual lookups of the domain with "dig" and point it to their
> > servers (dns0.getsurfed.com, dns1.getsurfed.com) but it fails for me if
> > I go through my BIND installation.
> >
> > The named.run log contains lines like this:
> >
> > 16-Aug-2016 10:48:40.693 lame-servers: info: 17 unexpected RCODE
> > resolving 'dryfire.com/NS/IN': 213.162.97.178#53
> > 16-Aug-2016 10:48:40.749 lame-servers: info: 17 unexpected RCODE
> > resolving 'dryfire.com/NS/IN': 213.162.97.177#53
> >
> > A search for "17 unexpected RCODE" seems to indicate this might be
> > caused by incompatibility between SIT/DNS cookies and older versions of
> > NSD. Is this also what's happening in my case here?
>
> ;; ANSWER SECTION:
> dryfire.com.            21600   IN      A       109.109.232.98
>
> ;; ANSWER SECTION:
> dryfire.com.            21595   IN      NS      dns0.getsurfed.com.
> dryfire.com.            21595   IN      NS      dns1.getsurfed.com.
>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list