bind 9.11, cookes by default
Carl Byington
carl at byington.org
Wed Nov 16 21:37:14 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, 2016-11-17 at 07:47 +1100, Mark Andrews wrote:
> I know you think doing this collectively is a service but having
> individuals discover and complain to the site operators that their
> DNS is broken is the only way there will be enough presure brought
> to bear for some of these companies to fix their server
> configurations.
> It requires noise for them to act. Collectively hiding broken
> servers doesn't generate the noise.
I agree that having individuals complain is the way to bring enough
pressure to get things fixed. But recording the results of the discovery
process can be centralized.
> https://ednscomp.isc.org/ has lists of servers with broken EDNS
> support some of which stops / slows DNS resolution in BIND.
I am only interested (for now) in the names that are fully broken
without "send-cookie no". It seems more important to get those fixed,
than to fix those that (only) slow down resolution.
I propose adding /etc/named.broken.servers to track those that cannot
handle cookies, but that file won't be included in the default
/etc/named.conf configuration. It will include for each server the dig
tests that can verify that the server is still broken, and should
include contact information so the bind administrator can send a note
asking that it be fixed.
For example, something like:
// adobe servers that don't understand edns options
//
// please send a note asking hostmaster at adobe.com to fix those servers.
//
// dig wip4.adobe.com ns
// dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain
// dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror
server 192.150.16.247 { send-cookie no; };
server 192.150.19.247 { send-cookie no; };
server 193.104.215.247 { send-cookie no; };
Note that "dig wip4.adobe.com soa" shows hostmaster at sj1gtm001.adobe.com
for that zone, but sj1gtm001.adobe.com has no MX record, and the A
record target does not answer port 25 connections.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAlgs0WkACgkQL6j7milTFsFF5gCfdguqebQ8OAlClMDJMbFQH06h
LtQAn16TQQaG/zgAL0Sx/mrFCdSvnFwJ
=O049
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list