-----Original Message----- From: Chris Thompson <c...@hermes.cam.ac.uk> On Behalf Of Chris Thompson Sent: 10. kesäkuuta 2019 17:30 To: Jukka Pakkanen <jukka.pakka...@qnet.fi> Cc: bind-us...@isc.org Subject: Re: Strange DNS problem
On Jun 10 2019, Jukka Pakkanen wrote: >We have a strange problem related to DNS services, maybe someone here >have a clue what could be the problem. […] >An example, the client domain is raimoasikainenoy.fi. Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report: >; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 >server found) ;; global options: +cmd ;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr >aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: >recursion requested but not available > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4096 >; COOKIE: a0ff0c014f65b471e0b8b271ffffffffe7bab2718129c071 (bad) every time! (Use +qr to show the client cookie sent by dig.) I expect you could work around this by specifying server 193.184.54.212 { send-cookie no; }; in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk Then, unfortunately our nameservers won't resolve ns.kpk.fi either. So even if the fall back works, as I suppose it does, it does not help here. ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64299 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5fdcace005523ca0f1b0c9c95cfe96f17497773ef05635e1 (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; Query time: 0 msec ;; SERVER: 62.142.220.5#53(62.142.220.5) ;; WHEN: Mon Jun 10 20:44:17 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 66 And again when inquiring directly with the IP of ns.kpk.fi, we do get an answer: ; <<>> DiG 9.14.2 <<>> @192.130.183.74 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50365 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ef9a3009864a20aaaa2e5dfe5cfe9648adfe8be2561def4d (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; Query time: 31 msec ;; SERVER: 192.130.183.74#53(192.130.183.74) ;; WHEN: Mon Jun 10 20:45:48 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 82 Jukka Maybe because the "lue.keskipohjanmaa.com" NS server for this kpk.fi domain, also seems to be having this cookie problem: ;; Warning: Client COOKIE mismatch ; <<>> DiG 9.14.2 <<>> @192.130.183.69 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39629 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: a0ffec004f65b471e0b8b271ffffffffe7bab2718129c071 (bad) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; AUTHORITY SECTION: kpk.fi. 600 IN NS lue.keskipohjanmaa.com. kpk.fi. 600 IN NS ns.datatower.fi. ;; ADDITIONAL SECTION: ns.datatower.fi. 3600 IN A 193.184.54.212 lue.keskipohjanmaa.com. 3600 IN A 192.130.183.69 ;; Query time: 31 msec ;; SERVER: 192.130.183.69#53(192.130.183.69) ;; WHEN: Mon Jun 10 20:59:44 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 177 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users