Re: bind 9.11, cookes by default
In message <1479332234.30976.34.ca...@ns.five-ten-sg.com>, Carl Byington writes
:
> On Thu, 2016-11-17 at 07:47 +1100, Mark Andrews wrote:
> > I know you think doing this collectively is a service but having
> > individuals discover and complain to the site operators that their
> > DNS is broken is the only way there will be enough presure brought
> > to bear for some of these companies to fix their server
> > configurations.
>
> > It requires noise for them to act. Collectively hiding broken
> > servers doesn't generate the noise.
>
> I agree that having individuals complain is the way to bring enough
> pressure to get things fixed. But recording the results of the discovery
> process can be centralized.
>
>
> > https://ednscomp.isc.org/ has lists of servers with broken EDNS
> > support some of which stops / slows DNS resolution in BIND.
>
> I am only interested (for now) in the names that are fully broken
> without "send-cookie no". It seems more important to get those fixed,
> than to fix those that (only) slow down resolution.
>
> I propose adding /etc/named.broken.servers to track those that cannot
> handle cookies, but that file won't be included in the default
> /etc/named.conf configuration. It will include for each server the dig
> tests that can verify that the server is still broken, and should
> include contact information so the bind administrator can send a note
> asking that it be fixed.
>
> For example, something like:
>
> // adobe servers that don't understand edns options
> //
> // please send a note asking hostmas...@adobe.com to fix those servers.
> //
> // dig wip4.adobe.com ns
> // dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain
> // dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror
> server 192.150.16.247 { send-cookie no; };
> server 192.150.19.247 { send-cookie no; };
> server 193.104.215.247 { send-cookie no; };
>
>
>
> Note that "dig wip4.adobe.com soa" shows hostmas...@sj1gtm001.adobe.com
> for that zone, but sj1gtm001.adobe.com has no MX record, and the A
> record target does not answer port 25 connections.
Adobe has been told multiple times that their servers are misconfigured.
The even half fixed them once. Their DNS administrators are just
plain incompentent. They can fix this in less than 5 minutes by
adding a single period (.) to the end of "sl-download.adobe.com.edgekey.net"
in the fallback zone which is used when the a cookie option is
present. It should be "sl-download.adobe.com.edgekey.net." which has a
period at the end.
Without a cookie option you get:
airdownload.wip4.adobe.com. 300 IN CNAME
ssl-download.adobe.com.edgekey.net.
With a cookie option you get:
airdownload.wip4.adobe.com. 300 IN CNAME
ssl-download.adobe.com.edgekey.net.wip4.adobe.com.
They just refuse to act.
Mark
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAlgs0WkACgkQL6j7milTFsFF5gCfdguqebQ8OAlClMDJMbFQH06h
> LtQAn16TQQaG/zgAL0Sx/mrFCdSvnFwJ
> =O049
> -END PGP SIGNATURE-
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11, cookes by default
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, 2016-11-17 at 07:47 +1100, Mark Andrews wrote:
> I know you think doing this collectively is a service but having
> individuals discover and complain to the site operators that their
> DNS is broken is the only way there will be enough presure brought
> to bear for some of these companies to fix their server
> configurations.
> It requires noise for them to act. Collectively hiding broken
> servers doesn't generate the noise.
I agree that having individuals complain is the way to bring enough
pressure to get things fixed. But recording the results of the discovery
process can be centralized.
> https://ednscomp.isc.org/ has lists of servers with broken EDNS
> support some of which stops / slows DNS resolution in BIND.
I am only interested (for now) in the names that are fully broken
without "send-cookie no". It seems more important to get those fixed,
than to fix those that (only) slow down resolution.
I propose adding /etc/named.broken.servers to track those that cannot
handle cookies, but that file won't be included in the default
/etc/named.conf configuration. It will include for each server the dig
tests that can verify that the server is still broken, and should
include contact information so the bind administrator can send a note
asking that it be fixed.
For example, something like:
// adobe servers that don't understand edns options
//
// please send a note asking hostmas...@adobe.com to fix those servers.
//
// dig wip4.adobe.com ns
// dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain
// dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror
server 192.150.16.247 { send-cookie no; };
server 192.150.19.247 { send-cookie no; };
server 193.104.215.247 { send-cookie no; };
Note that "dig wip4.adobe.com soa" shows hostmas...@sj1gtm001.adobe.com
for that zone, but sj1gtm001.adobe.com has no MX record, and the A
record target does not answer port 25 connections.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAlgs0WkACgkQL6j7milTFsFF5gCfdguqebQ8OAlClMDJMbFQH06h
LtQAn16TQQaG/zgAL0Sx/mrFCdSvnFwJ
=O049
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11, cookes by default
I know you think doing this collectively is a service but having
individuals discover and complain to the site operators that their
DNS is broken is the only way there will be enough presure brought
to bear for some of these companies to fix their server configurations.
It requires noise for them to act. Collectively hiding broken
servers doesn't generate the noise.
https://ednscomp.isc.org/ has lists of servers with broken EDNS
support some of which stops / slows DNS resolution in BIND.
Everyone subscribe to the gtld-tech mailing list and complain that
ICANN doesn't require registries and registrars under its control
to check that servers being delegated to are RFC compliant. Tell
them that lack of EDNS compliance is breaking DNS resolution.
gtld-tech is tasked with providing operational stability.
My lone voice is not enough. It requires collective action to
people of the backsides to do stuff.
Similarly ask your countries TLD administrators to audit delegated
server for DNS and EDNS compliance and to remove delegations if the
servers are not fixed in a reasonable period of time.
https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/
has a list of tests which cover this and other issues which affect
DNS interoperability.
Mark
In message <1479321516.30976.7.ca...@ns.five-ten-sg.com>, Carl Byington write
s:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Now that bind is sending cookies by default, there are some broken
> servers out there that we need to configure with send-cookie no;.
>
> Unless I am missing something, 9.11.0-P1 will (by default) fail to
> resolve names like airdownload.wip4.adobe.com.
>
> In the interest of publicly naming and shaming their operators, I will
> add an "include /etc/named.broken.servers" file in my packaging. The
> content so far is below. Send me a note if you run into any others.
>
>
> // adobe servers that don't understand edns options
> // dig wip4.adobe.com ns
> // dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain
> // dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror
> server 192.150.16.247 { send-cookie no; };
> server 192.150.19.247 { send-cookie no; };
> server 193.104.215.247 { send-cookie no; };
>
>
>
> // eia.gov servers that don't understand edns options
> // dig eia.gov ns
> // dig phantom.eia.gov. @205.254.135.9 +cookie => formerr
> // dig phantom.eia.gov. @205.254.135.9 +nocookie => noerror
> server 205.254.135.9{ send-cookie no; };
> server 199.36.140.199 { send-cookie no; };
>
>
>
> // lctcs.edu servers that don't understand edns options
> // dig lctcs.edu ns
> // dig www.lctcs.edu @76.165.120.16 +cookie => formerr
> // dig www.lctcs.edu @76.165.120.16 +nocookie => noerror
> server 76.165.120.16{ send-cookie no; };
> server 76.165.210.249 { send-cookie no; };
>
>
>
> // london-nano.com servers that don't understand edns options
> // dig london-nano.com ns
> // dig www.london-nano.com @213.162.97.177 +cookie
> // dig www.london-nano.com @213.162.97.177 +nocookie
> server 213.162.97.177 { send-cookie no; };
> server 213.162.97.178 { send-cookie no; };
>
>
>
> // etdbw.com servers that don't understand edns options
> (www.mycoverageinfo.com)
> // dig www.mycoverageinfo.gtm.etdbw.com. +trace
> // dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +cookie =>
> noerror, 0 answers
> // dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +nocookie =>
> noerror, 1 answer
> server 167.79.45.7 { send-cookie no; };
> server 167.79.182.7 { send-cookie no; };
> server 167.79.186.7 { send-cookie no; };
> server 167.79.192.7 { send-cookie no; };
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAlgsp6AACgkQL6j7milTFsF5VACfXxKp+HLNNX7fczr4xF4qT4LP
> UCIAn3h4WPC2QZ21+gYnSuECG3t2nwEQ
> =22tF
> -END PGP SIGNATURE-
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind 9.11, cookes by default
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Now that bind is sending cookies by default, there are some broken
servers out there that we need to configure with send-cookie no;.
Unless I am missing something, 9.11.0-P1 will (by default) fail to
resolve names like airdownload.wip4.adobe.com.
In the interest of publicly naming and shaming their operators, I will
add an "include /etc/named.broken.servers" file in my packaging. The
content so far is below. Send me a note if you run into any others.
// adobe servers that don't understand edns options
// dig wip4.adobe.com ns
// dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain
// dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror
server 192.150.16.247 { send-cookie no; };
server 192.150.19.247 { send-cookie no; };
server 193.104.215.247 { send-cookie no; };
// eia.gov servers that don't understand edns options
// dig eia.gov ns
// dig phantom.eia.gov. @205.254.135.9 +cookie => formerr
// dig phantom.eia.gov. @205.254.135.9 +nocookie => noerror
server 205.254.135.9{ send-cookie no; };
server 199.36.140.199 { send-cookie no; };
// lctcs.edu servers that don't understand edns options
// dig lctcs.edu ns
// dig www.lctcs.edu @76.165.120.16 +cookie => formerr
// dig www.lctcs.edu @76.165.120.16 +nocookie => noerror
server 76.165.120.16{ send-cookie no; };
server 76.165.210.249 { send-cookie no; };
// london-nano.com servers that don't understand edns options
// dig london-nano.com ns
// dig www.london-nano.com @213.162.97.177 +cookie
// dig www.london-nano.com @213.162.97.177 +nocookie
server 213.162.97.177 { send-cookie no; };
server 213.162.97.178 { send-cookie no; };
// etdbw.com servers that don't understand edns options
(www.mycoverageinfo.com)
// dig www.mycoverageinfo.gtm.etdbw.com. +trace
// dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +cookie =>
noerror, 0 answers
// dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +nocookie =>
noerror, 1 answer
server 167.79.45.7 { send-cookie no; };
server 167.79.182.7 { send-cookie no; };
server 167.79.186.7 { send-cookie no; };
server 167.79.192.7 { send-cookie no; };
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAlgsp6AACgkQL6j7milTFsF5VACfXxKp+HLNNX7fczr4xF4qT4LP
UCIAn3h4WPC2QZ21+gYnSuECG3t2nwEQ
=22tF
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
