resolver: DNS format error from
Greg Choules
gregchoules+bindusers at googlemail.com
Wed May 17 10:31:02 UTC 2023
Hi Alex.
TL;DR 9.18 is stricter than 9.16 at handling junk responses from
authoritative servers.
Looking at a packet capture for this from my own BIND server (9.18.14) the
response from 195.178.56.17 is FORMERR, which tends to mean that it objects
to something in the query. The correct response to something you don't like
is to ignore it, so this server is not obeying protocol and 9.18 is not
going to try and work around broken behaviour.
I disabled sending of cookies to this server and now it works. It could be
that it doesn't like cookies, or just any EDNS option that it doesn't know
what to do with. Either way, it should be fixed.
Hope that helps.
Greg
On Tue, 16 May 2023 at 15:53, Alex <mysqlstudent at gmail.com> wrote:
> Hi,
> I have a bind-9.18.7 system on fedora37 and having some strange errors
> with some queries.
>
> $ host info.apr.gov.rs
> Host info.apr.gov.rs not found: 2(SERVFAIL)
>
> in my bind logs I have the following:
> 16-May-2023 10:37:49.800 resolver: DNS format error from 195.178.56.17#53
> resolving ns1.apr.gov.rs/AAAA for <unknown>: server sent FORMERR
> 16-May-2023 10:37:49.800 lame-servers: received FORMERR resolving '
> ns1.apr.gov.rs/AAAA/IN': 195.178.56.17#53
> 16-May-2023 10:37:49.800 lame-servers: timed out resolving '
> info.apr.gov.rs/A/IN': 212.62.49.194#53
> 16-May-2023 10:37:49.800 query-errors: client @0x7f9d546d5168
> 127.0.0.1#59712 (info.apr.gov.rs): query failed (failure) for
> info.apr.gov.rs/IN/A at ../../../lib/ns/query.c:7717
>
> In the limited search results I've found for this, I believe it has
> something to do with dnssec or EDNS, but I really don't know how to
> troubleshoot this. Is this a known problem?
>
> It also appears to be happening with even hosts like ticketmaster?
> 16-May-2023 10:21:09.348 lame-servers: FORMERR resolving '
> engage.ticketmaster.com/NS/IN': 205.251.194.123#53
>
> The host resolves fine on my bind-9.16.38 system using the exact same
> configuration, as well as most or all public resolvers.
>
>
>
>
>
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230517/4dbfb0d5/attachment-0001.htm>
More information about the bind-users
mailing list