bind-users Digest, Vol 3297, Issue 1
krookkids
krookkids at protonmail.com
Wed Nov 6 08:17:45 UTC 2019
Dear Wil,
Your email was fascinating. Thank you
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, November 6, 2019 3:15 AM, <bind-users-request at lists.isc.org> wrote:
> Send bind-users mailing list submissions to
> bind-users at lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-request at lists.isc.org
>
> You can reach the person managing the list at
> bind-users-owner at lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
> Today's Topics:
>
> 1. Query failed (timed out) (Wilfred Sarmiento)
> 2. Re: Query failed (timed out) (Daniel Stirnimann)
> 3. Re: Query failed (timed out) (Mark Andrews)
> 4. Re: Query failed (timed out) (Wilfred Sarmiento)
>
>
> Message: 1
> Date: Wed, 6 Nov 2019 15:32:48 +0800
> From: Wilfred Sarmiento wpsarmiento at globe.com.ph
> To: bind-users at lists.isc.org
> Subject: Query failed (timed out)
> Message-ID:
> CACLUGZT37G_8BjynyG-YE+u8UcqyuvHcBPvyoXMWsyaTiQeuqA at mail.gmail.com
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Bind Users,
>
> Anyone have a similar issue we are encountering with the subdomain of
> Barclays.com specifically federate.secure.barclays.com
> Our cache server could not resolve the said subdomain, but was able to
> resolve their root domain barclays.com and any other known domains.
> Debug just showed below little details of logs.
> That subdomain was resolvable using Google DNS and other OpenDNS.
>
> client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com):
> query: federate.secure.barclays.com IN A + (x.x.x.x)
>
> client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com):
> query: federate.secure.barclays.com IN A + (x.x.x.x)
>
> client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com):
> query failed (timed out) for federate.secure.barclays.com/IN/A at
> query.c:6786
>
> client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com):
> query: federate.secure.barclays.com IN A + (x.x.x.x)
>
> client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com):
> query failed (timed out) for federate.secure.barclays.com/IN/A at
> query.c:6786
>
> Thank you,
>
> Wil
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> This e-mail message (including attachments, if any) is intended for the use
> of the individual or the entity to whom it is addressed and may contain
> information that is privileged, proprietary, confidential and exempt from
> disclosure. If you are not the intended recipient, you are notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication in error,
> please notify the sender and delete this E-mail message immediately.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.isc.org/pipermail/bind-users/attachments/20191106/7228a0d3/attachment-0001.htm
>
> --
>
> Message: 2
> Date: Wed, 6 Nov 2019 08:50:31 +0100
> From: Daniel Stirnimann daniel.stirnimann at switch.ch
> To: Wilfred Sarmiento wpsarmiento at globe.com.ph,
>
> <bind-users at lists.isc.org>
>
>
> Subject: Re: Query failed (timed out)
> Message-ID: 4a60fcf1-58b5-bda2-f8e1-56b67c9e46c0 at switch.ch
> Content-Type: text/plain; charset="utf-8"
>
> federate.secure.barclays.com. is a CNAME pointing to
> federate-secure.glbaa.barclays.com
>
> The authoritative name servers for federate-secure.glbaa.barclays.com
> are broken:
>
> glbaa.barclays.com. 900 IN NS ns24.barclays.net.
> glbaa.barclays.com. 900 IN NS ns22.barclays.net.
> glbaa.barclays.com. 900 IN NS ns23.barclays.com.
> glbaa.barclays.com. 900 IN NS ns21.barclays.com
>
> They only seem to respond to A, AAAA queries. Everything else times out.
> Queries with EDNS Cookies (RFC7873) timeout as well.
>
> You should be able to work around this by adding this to named.conf
>
> server 157.83.126.246 { send-cookie false; };
> server 157.83.102.246 { send-cookie false; };
> server 157.83.126.245 { send-cookie false; };
> server 157.83.102.245 { send-cookie false; };
>
> See also
> https://ftp.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#server_statement_grammar
>
> Daniel
>
> On 06.11.19 08:32, Wilfred Sarmiento via bind-users wrote:
>
> > Hi Bind Users,
> > Anyone have a similar issue we are encountering with the subdomain of
> > Barclays.com specifically federate.secure.barclays.com
> > http://federate.secure.barclays.com
> > Our cache server could not resolve the said subdomain, but was able to
> > resolve their root domain barclays.com http://barclays.com and any
> > other known domains.?
> > Debug just showed below little details of logs.?
> > That subdomain was resolvable using Google DNS and other OpenDNS.
> > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852
> > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A
> >
> > - (x.x.x.x)
> >
> > client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852
> > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A
> >
> > - (x.x.x.x)
> >
> > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852
> > (federate.secure.barclays.com): query failed (timed out) for
> > federate.secure.barclays.com/IN/A at query.c:6786
> > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852
> > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A
> >
> > - (x.x.x.x)
> >
> > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852
> > (federate.secure.barclays.com): query failed (timed out) for
> > federate.secure.barclays.com/IN/A at query.c:6786
> > Thank you,
> > *Wil
> > *
> > This e-mail message (including attachments, if any) is intended for the
> > use of the individual or the entity to whom it is addressed and may
> > contain information that is privileged, proprietary, confidential and
> > exempt from disclosure. If you are not the intended recipient, you are
> > notified that any dissemination, distribution or copying of this
> > communication is strictly prohibited. If you have received this
> > communication in error, please notify the sender and delete this E-mail
> > message immediately.
> >
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
>
> Message: 3
> Date: Wed, 6 Nov 2019 18:52:14 +1100
> From: Mark Andrews marka at isc.org
> To: Wilfred Sarmiento wpsarmiento at globe.com.ph,
>
> iplegal at barclays.com, hostmaster at netnames.net
>
>
> Cc: bind-users at lists.isc.org
> Subject: Re: Query failed (timed out)
> Message-ID: DAF8C06C-0015-4A43-9DB8-8A2EE9BA9730 at isc.org
> Content-Type: text/plain; charset=us-ascii
>
> The DNS servers for federate-secure.glbaa.barclays.com are broken which
> is what federate.secure.barclays.com points to. They do not respond to
> queries with EDNS options present and named sends a DNS COOKIE EDNS option
> by default.
>
> You can work around this by specifying
>
> server 157.83.102.245 { send-cookie no; };
>
> and similarly for all the other IP addresses of the GLB but the real fix
> is for Barclays to deploy RFC compliant DNS servers. Their servers nominally
> support EDNS and unknown EDNS options are supposed to be ignored, not cause
> the query to be dropped.
>
> % dig federate-secure.glbaa.barclays.com +nocookie @157.83.102.245
>
> ; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> federate-secure.glbaa.barclays.com +nocookie @157.83.102.245
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62156
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;federate-secure.glbaa.barclays.com. IN A
>
> ;; ANSWER SECTION:
> federate-secure.glbaa.barclays.com. 30 IN A 157.83.124.48
>
> ;; Query time: 356 msec
> ;; SERVER: 157.83.102.245#53(157.83.102.245)
> ;; WHEN: Wed Nov 06 18:49:20 AEDT 2019
> ;; MSG SIZE rcvd: 79
>
> % dig federate-secure.glbaa.barclays.com @157.83.102.245
>
> ; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> federate-secure.glbaa.barclays.com @157.83.102.245
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> [beetle:~/git/bind9] marka% dig federate-secure.glbaa.barclays.com +nocookie @157.83.102.245
>
> ; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> federate-secure.glbaa.barclays.com +nocookie @157.83.102.245
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20094
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;federate-secure.glbaa.barclays.com. IN A
>
> ;; ANSWER SECTION:
> federate-secure.glbaa.barclays.com. 30 IN A 157.83.124.48
>
> ;; Query time: 383 msec
> ;; SERVER: 157.83.102.245#53(157.83.102.245)
> ;; WHEN: Wed Nov 06 18:50:19 AEDT 2019
> ;; MSG SIZE rcvd: 79
>
> %
>
> > On 6 Nov 2019, at 18:32, Wilfred Sarmiento via bind-users bind-users at lists.isc.org wrote:
> > Hi Bind Users,
> > Anyone have a similar issue we are encountering with the subdomain of Barclays.com specifically federate.secure.barclays.com
> > Our cache server could not resolve the said subdomain, but was able to resolve their root domain barclays.com and any other known domains.
> > Debug just showed below little details of logs.
> > That subdomain was resolvable using Google DNS and other OpenDNS.
> > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): query: federate.secure.barclays.com IN A + (x.x.x.x)
> > client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): query: federate.secure.barclays.com IN A + (x.x.x.x)
> > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): query failed (timed out) for federate.secure.barclays.com/IN/A at query.c:6786
> > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): query: federate.secure.barclays.com IN A + (x.x.x.x)
> > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852 (federate.secure.barclays.com): query failed (timed out) for federate.secure.barclays.com/IN/A at query.c:6786
> > Thank you,
> > Wil
> > This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.
> >
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
>
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
>
> --------------------------------------------------------------------------------------------------------------------
>
> Message: 4
> Date: Wed, 6 Nov 2019 16:14:32 +0800
> From: Wilfred Sarmiento wpsarmiento at globe.com.ph
> To: Daniel Stirnimann daniel.stirnimann at switch.ch
> Cc: bind-users at lists.isc.org
> Subject: Re: Query failed (timed out)
> Message-ID:
> CACLUGZRiVgEoytbfT5WpZM35xKvjpNEE2ntM06LGszDPiqg6sw at mail.gmail.com
> Content-Type: text/plain; charset="utf-8"
>
> Hi Daniel,
>
> The workaround works, does BIND 9.14 has a patch to resolve this? Since we
> have a multiple Cache server, we need to do this every time we encounter
> another domain that has this same issue.
>
> Thank you!
>
> Wil
>
> On Wed, Nov 6, 2019 at 3:50 PM Daniel Stirnimann <
> daniel.stirnimann at switch.ch> wrote:
>
> > federate.secure.barclays.com. is a CNAME pointing to
> > federate-secure.glbaa.barclays.com
> > The authoritative name servers for federate-secure.glbaa.barclays.com
> > are broken:
> > glbaa.barclays.com. 900 IN NS ns24.barclays.net.
> > glbaa.barclays.com. 900 IN NS ns22.barclays.net.
> > glbaa.barclays.com. 900 IN NS ns23.barclays.com.
> > glbaa.barclays.com. 900 IN NS ns21.barclays.com
> > They only seem to respond to A, AAAA queries. Everything else times out.
> > Queries with EDNS Cookies (RFC7873) timeout as well.
> > You should be able to work around this by adding this to named.conf
> > server 157.83.126.246 { send-cookie false; };
> > server 157.83.102.246 { send-cookie false; };
> > server 157.83.126.245 { send-cookie false; };
> > server 157.83.102.245 { send-cookie false; };
> > See also
> > https://ftp.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#server_statement_grammar
> > Daniel
> > On 06.11.19 08:32, Wilfred Sarmiento via bind-users wrote:
> >
> > > Hi Bind Users,
> > > Anyone have a similar issue we are encountering with the subdomain of
> > > Barclays.com specifically federate.secure.barclays.com
> > > http://federate.secure.barclays.com
> > > Our cache server could not resolve the said subdomain, but was able to
> > > resolve their root domain barclays.com http://barclays.com and any
> > > other known domains.
> > > Debug just showed below little details of logs.
> > > That subdomain was resolvable using Google DNS and other OpenDNS.
> > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852
> > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A
> > >
> > > - (x.x.x.x)
> > >
> > > client @0x7f6a4a4cd070 xxx.xxx.xxx.xxx#63852
> > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A
> > >
> > > - (x.x.x.x)
> > >
> > > client @0x7f6a14a7b6a0 xxx.xxx.xxx.xxx#63852
> > > (federate.secure.barclays.com): query failed (timed out) for
> > > federate.secure.barclays.com/IN/A at query.c:6786
> > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852
> > > (federate.secure.barclays.com): query: federate.secure.barclays.com IN A
> > >
> > > - (x.x.x.x)
> > >
> > > client @0x7f6a31216e30 xxx.xxx.xxx.xxx#63852
> > > (federate.secure.barclays.com): query failed (timed out) for
> > > federate.secure.barclays.com/IN/A at query.c:6786
> > > Thank you,
> > > *Wil
> > > *
> > > This e-mail message (including attachments, if any) is intended for the
> > > use of the individual or the entity to whom it is addressed and may
> > > contain information that is privileged, proprietary, confidential and
> > > exempt from disclosure. If you are not the intended recipient, you are
> > > notified that any dissemination, distribution or copying of this
> > > communication is strictly prohibited. If you have received this
> > > communication in error, please notify the sender and delete this E-mail
> > > message immediately.
> > >
> > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > > unsubscribe from this list
> > > bind-users mailing list
> > > bind-users at lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
>
> This e-mail message (including attachments, if any) is intended for the use
> of the individual or the entity to whom it is addressed and may contain
> information that is privileged, proprietary, confidential and exempt from
> disclosure. If you are not the intended recipient, you are notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication in error,
> please notify the sender and delete this E-mail message immediately.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.isc.org/pipermail/bind-users/attachments/20191106/3fa80db8/attachment.htm
>
> --
>
> Subject: Digest Footer
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> ----------------------------------------------------------------------------------------------------
>
> End of bind-users Digest, Vol 3297, Issue 1
More information about the bind-users
mailing list