[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    Re: [dns-operations] 2600::a1 (ns1-auth.sprintlink.net)
From:       Mark Andrews <marka () isc ! org>
Date:       2017-02-16 21:48:09
Message-ID: 20170216214809.C5B506406FE9 () rock ! dv ! isc ! org
[Download RAW message or body]


In message <CAGfsgR3bH1qEZ4g2-SLcBo5xHDpdw+1W5u-Jqxop=LBqAa-CYA@mail.gmail.com>
, Jim Popovitch writes:
> On Thu, Feb 16, 2017 at 3:00 PM, Gonzalo Muoz <gmunoz@nic.cl> wrote:
> > It looks like the sprintlink NS has a problem with DNS cookies. Using
> > dig 9.11.0-P1:
> >
> > $ dig @ns1-auth.sprintlink.net. ups.com mx
> > (...)
> > ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 14540
> > (...)
> >
> > $ dig @ns1-auth.sprintlink.net. ups.com mx +nocookie
> > (...)
> > ;; ANSWER SECTION:
> > ups.com.                300     IN      MX      10 email-vip.ups.com.
> > ups.com.                300     IN      MX      10 email2-vip.ups.com.
> > (...)
> >
>
> Ahh! That's it.
>
> Interestingly enough bind does seem to always figure out the data it
> needs by continuing to query other NSes.

Named decides that the servers DO NOT SUPPORT EDNS and switches
back to plain DNS.  There are servers that return BADVERS to EDNS
without EDNS options so that is the only way to get answers from
those servers.

Named then asks again with plain DNS.  This has implications as
these servers also serve signed zones and that break DNSSEC
validation.  For the list of .GOV zone that are broken because of
this see: https://ednscomp.isc.org/compliance/gov-full-report.html#eo

Mark

> Thanks!!
>
> -Jim P.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic