Timothy A. Holtzen <t...@nebrwesleyan.edu> wrote:
> I've run into an odd problem. On the same host with nearly identical
> configurations. Bind 9.10.6 can resolve and DNSSEC validate sss.gov but
> Bind 9.11.2 cannot.
Ah, this is because sss.gov is hosted on Qwest's DNS servers that have
broken EDNS logic which is incompatible with DNS cookies.
I have a short script (quoted below) which generates a blacklist of broken
servers which is included in my `named.conf`.
The number of problem reports I've received is mercifully small - Qwest
are the worst cookie offenders.
########################################################################
#!/bin/sh
set -eu
noedns=roles/named/files/named.conf.noedns
: >$noedns
# qwest - bea.gov
# barclays - myapplication.international.barclays.com
for s in sauthns1.qwest.net. \
sauthns2.qwest.net. \
ns21.barclays.com. \
ns22.barclays.net. \
ns23.barclays.com. \
ns24.barclays.net.
do
dig +noall +nottl +noclass +answer $s a $s aaaa
done |
sort |
while read s t a
do echo "server $a { send-cookie no; }; # $s"
done >>$noedns
########################################################################
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Cyclonic 4 or 5,
occasionally 6 in Hebrides, Bailey and Southeast Iceland. Moderate or rough,
occasionally very rough in Hebrides and Bailey. Wintry showers. Good,
occasionally poor._______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
