On 1/6/23 17:00, Ondřej Surý wrote:
From top of my head - try disabling QNAME minimization.
I don't see the relevance but I tried "qname-minimization off" in my
configuration. No changes, I still see the SERVFAIL.
I insist this is not a bug in BIND. The original domain is
misconfigured. But this misconfiguration is pretty common and resolvers
like 8.8.8.8, 1.1.1.1, 9.9.9.9 just ignore the issue and provide a nice
(and wrong, I agree) "NOERROR" reply. They are faulty, not BIND. But my
clients do not agree: "it works fine with google/cloudflare/infoblox,
you give back a SERVFAIL, goodbye until you fix it, rookie!".
You can see the issue yourself doing:
dig -t AAAA @YOUR_DNS_SERVER_IP oauth-login.cloud.huawei.com
If you are using BIND you will see a SERVFAIL. Then try with 8.8.8.8,
1.1.1.1, 9.9.9.9 and whoever other open DNS resolver you know about.
Compare the results.
All big ISP resolvers I tried in Spain give back a NOERROR. Universities
too.
This issue was described perfectly in this mailing list a couple of
years ago:
https://lists.isc.org/pipermail/bind-users/2021-January/104064.html
This huawei misconfiguration is quite common around and since big DNS
players just accept it, I am having a quite hard time defending that
BIND is actually doing the right thing.
For instance, a few examples from my logs(only a few seconds of them!).
There are MANY MANY more. Try requesting AAAA for (using your BIND
server and the 8.8.8.8):
aes.orange.es
api.mediago.io
appmimovistar.movistar.es
eneotecnologia.com
epns.eset.com
t3pub.movistar.es
trace-eu.mediago.io
trace.mediago.io
I can provide a quite long list if requested.
Studying the sourcecode, I see this in "lib/dns/resolver.c":
"""
if (!dns_name_issubdomain(&fctx->name, &fctx->domain)) {
dns_name_format(&fctx->domain, buf, sizeof(buf));
UNEXPECTED_ERROR(__FILE__, __LINE__,
"'%s' is not subdomain of '%s'", fctx->info,
buf);
result = ISC_R_UNEXPECTED;
goto cleanup_fcount;
}
"""
Nothing there looks like can be configured, beside just deleting that
code and recompiling.
There are QNAME minimization code down the same function, but the code
doesn't reach there, the error is generated before getting there. So no,
"qname-minimization off" doesn't solve this.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
j...@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
