On Mon, Apr 29, 2013 at 09:16:08AM -0400, [email protected] wrote: > "However, we have become aware of an error in a particular version of the > DNS-software BIND, which we know are being used by several ISP's in Sweden > like TeliaSonera, Telenor, Tele2, Bredbandsbolaget and Bredband2. "
It works like this. If BIND experiences a timeout on a query for a domain, it assumes this might be because of EDNS0 compatibility issues, and retries without EDNS0. BIND does this even for domains for which it wants to do validation. Since it does not get RRSIGs if it does not use EDNS0, it declares all future answers bogus. Unbound does not do EDNS0 fallback for domains for which it has seen a trust anchor or DS. So far for the BIND part. On the PowerDNS side, there are queries which we don't send out correct answers for, which BIND interprets as a timeout (since it can't match up our answer to its original question). This is our bug. Once BIND has seen a few timeouts, it stops doing EDNS0 with us at all. The upshot of this is that PowerDNS and BIND together generate a bad situation in which validation fails. The solution is to either change BIND (no patches are available as yet, but Unbound is nice) or to patch PowerDNS (https://github.com/PowerDNS/pdns/commit/63e365db8884838184cfc61b26be62469589f404 ). One.com has now patched their PowerDNS, as have other large operators. We also have snapshots, tarballs and packages available with this patch in them. Bert -- PowerDNS Website: http://www.powerdns.com/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
