DNS Cookies Causing FORMERR

Fri, 06 Jan 2023 11:51:01 -0800 

DNS Servers that do not properly support or properly ignore DNS cookies and 
instead return FORMERR is annoying. This is not new. However I have been seeing 
more or perhaps just have more users that are finding more domains that are 
hosted on authoritative servers with this unfortunate behavior.

Example progrowth.com name severs.

Individual work arounds on caching BIND servers are not difficult to implement, 
like this

server  47.206.74.18 {
        send-cookie no;
};
server  209.131.228.178 {
        send-cookie no;
};


However this workaround is problematic in terms of ongoing upkeep of this list 
and the increasing need to add new entries to the list. I'd like to be able to 
start sending cookies again if the servers begin to operate compliant to the 
EDNS RFC and I would like to not have to write any tools to remove entries from 
this list or schedule some regular calendar reminder to check or add to Nagios 
or whatever. I'd also rather not just globally disable sending of DNS cookies 
but it is something being considered.

In this article @ https://kb.isc.org/docs/aa-01387 it states near the bottom

"Nevertheless, mishandling of the COOKIE option has been known to cause errors 
that are fatal to name resolution when the resolver is validating responses 
coming from a signed zone, and the authoritative server returns either FORMERR 
or BADVERS, or fails to respond to the query. named treats these answers as if 
the server does not support EDNS (which it doesn't) so it stops sending any 
EDNS queries at all, which makes it impossible to get a DNSSEC response back."

This statement indicates this fall-back method is only applicable to signed 
domains. Is there a knob in BIND to apply this behavior to all domains? 
Basically, if the authoritative server is behaving incorrectly in this way then 
enable no-EDNS or no-COOKIE mode in the interest of allowing DNS queries to 
continue to be answered for the end users.

My caching servers are running the BIND 9.18 branch

Thanks for any pointers or suggestions.

-Justin

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to