On 17.05.23 11:31, Greg Choules via bind-users wrote:
TL;DR 9.18 is stricter than 9.16 at handling junk responses from
authoritative servers.
I think there were even "DNS flag day"s when operators were supposed to
install/configure systems that comply to standards.
After next DNS flag say (none announced afaik) we should expect broken
servers stop being supported - whoever owns one, will have troubles.
Looking at a packet capture for this from my own BIND server (9.18.14) the
response from 195.178.56.17 is FORMERR, which tends to mean that it objects
to something in the query. The correct response to something you don't like
is to ignore it, so this server is not obeying protocol and 9.18 is not
going to try and work around broken behaviour.
I disabled sending of cookies to this server and now it works. It could be
that it doesn't like cookies, or just any EDNS option that it doesn't know
what to do with. Either way, it should be fixed.
On Tue, 16 May 2023 at 15:53, Alex <mysqlstud...@gmail.com> wrote:
I have a bind-9.18.7 system on fedora37 and having some strange errors
with some queries.
$ host info.apr.gov.rs
Host info.apr.gov.rs not found: 2(SERVFAIL)
in my bind logs I have the following:
16-May-2023 10:37:49.800 resolver: DNS format error from 195.178.56.17#53
resolving ns1.apr.gov.rs/AAAA for <unknown>: server sent FORMERR
16-May-2023 10:37:49.800 lame-servers: received FORMERR resolving '
ns1.apr.gov.rs/AAAA/IN': 195.178.56.17#53
16-May-2023 10:37:49.800 lame-servers: timed out resolving '
info.apr.gov.rs/A/IN': 212.62.49.194#53
16-May-2023 10:37:49.800 query-errors: client @0x7f9d546d5168
127.0.0.1#59712 (info.apr.gov.rs): query failed (failure) for
info.apr.gov.rs/IN/A at ../../../lib/ns/query.c:7717
In the limited search results I've found for this, I believe it has
something to do with dnssec or EDNS, but I really don't know how to
troubleshoot this. Is this a known problem?
It also appears to be happening with even hosts like ticketmaster?
16-May-2023 10:21:09.348 lame-servers: FORMERR resolving '
engage.ticketmaster.com/NS/IN': 205.251.194.123#53
The host resolves fine on my bind-9.16.38 system using the exact same
configuration, as well as most or all public resolvers.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
