Re: Again question about edns (like swupdl.adobe.com)
In message <01cfede3$241ccca0$6c5665e0$@ids.it>, "IDS Submit" writes: > > Good morning, > > with www.acer.it I have the same problem as swupdl.adobe.com > > NXDOMAIN with bind 9.10 but NOERROR with Google DNS > > I have read the Mark Andrews reply on july 4 2014: > > -- > > It looks like nameserver vendors are not doing even rudimentry checks like > those above. DiG has thos options so that we could perform checks like > these. > > Until Adobe fix their broken servers you can use a server clause to > disable sending SIT requests to them. Obviously this does not scale. > > server { request-sit no; }; > > Mark > > -- > > But this doesn't solve the problem on others domains . > > . should be possible enable "request-sit no" for all domains and not > manually add it? You can turn it off globally. request-sit is actually documented. > Because I think there are lot of domains with this problem L Servers returning NXDOMAIN to unknown EDNS options don't even raise a blip in the EDNS compliance testing I've been doing. They are extremely rare which is why I suggested the server clause then complaining. The only reason you notice them is that they cause operational problems for you, not because they are common. This is a normal psychological reaction. Dropping the query, formerr, badvers are much more common (multiple percentage points) and unless the zone is signed these just slow down rather than prevent the resolution in BIND 9.10.1. There is only so much trial and error one can do to get a response. NXDOMAIN would show up as a "status" in the various "Unknown Option Failure Reasons" graphs of which there were exactly 3 servers on the 2014-10-21 run, none of which returned NXDOMAIN on examination. The test script which generates the graphs reference below has been updated to differentiate NXDOMAIN responses. http://users.isc.org/~marka/ts.html Mark > -- > > \Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it > > ; <<>> DiG 9.10.1 <<>> @81.174.15.142 www.acer.it > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42228 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;www.acer.it. IN A > > ;; ANSWER SECTION: > www.acer.it.300 IN CNAME public-akamai.gtm.acer.com. > > ;; AUTHORITY SECTION: > gtm.acer.com. 60 IN SOA gtm1.acer.com. > hostmaster.gtm1.acer.com. 482 10800 3600 604800 60 > > ;; Query time: 572 msec > ;; SERVER: 81.174.15.142#53(81.174.15.142) > ;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014 > ;; MSG SIZE rcvd: 132 > > -- > > > > > > -- > > \Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it > > > > ; <<>> DiG 9.10.1 <<>> @8.8.8.8 www.acer.it > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34510 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 512 > > ;; QUESTION SECTION: > > ;www.acer.it. IN A > > > > ;; ANSWER SECTION: > > www.acer.it.281 IN CNAME > public-akamai.gtm.acer.com. > > public-akamai.gtm.acer.com. 11 IN CNAME > www.acer.com.edgesuite.net. > > www.acer.com.edgesuite.net. 12306 INCNAME a492.b.akamai.net. > > a492.b.akamai.net. 19 IN A 88.149.196.137 > > a492.b.akamai.net. 19 IN A 88.149.196.145 > > > > ;; Query time: 60 msec > > ;; SERVER: 8.8.8.8#53(8.8.8.8) > > ;; WHEN: Wed Oct 22 12:14:02 ora legale Europa occidentale 2014 > > ;; MSG SIZE rcvd: 180 > > -- > > > > Thanks in advance and best regards > > > > Staff IDS > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Again question about edns (like swupdl.adobe.com)
On 22.10.2014 12:30, IDS Submit wrote: > with www.acer.it I have the same problem as swupdl.adobe.com Indeed, I the same on a BIND 9.10.1 resolver with SIT requests enabled: > $ dig swupdl.wip4.adobe.com [...] > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2510 [...] > wip4.adobe.com. 30 IN SOA sj1gtm001.adobe.com. > hostmaster.sj1gtm001.adobe.com. 1288 10800 3600 604800 60 As the SIT option uses an experimental OPT code for now, you should expect strange behaviour from a few servers if the option collides with other experimental code. For example, NSD 2.x responds to BIND's SIT request with RCODE 17 (BADKEY). Hauke. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
R: Again question about edns (like swupdl.adobe.com)
Good morning, I have those Bind versions installed: BIND 9.10.1-x86 in a Windows Server 32 bit BIND 9.10.1-x64 in a Windows Server 64 bit Both versions have the SIT (Source Identity Token) EDNS option enabled by default. You have DiG 9.10-P1 (May 8 2014) and my problems start with 9.10.0-P2 (June 6 2014) Regards Staff IDS Da: Chiesa Stefano [mailto:stefano.chi...@wki.it] Inviato: mercoledì 22 ottobre 2014 14.44 A: IDS Submit; bind-us...@isc.org Oggetto: R: Again question about edns (like swupdl.adobe.com) Hello all. Maybe I didnt understand the problem but in my installation of BIND 9.10 WINDOWS I cant replicate the error: C:\>dig swupdl.adobe.com @10.39.128.11 ; <<>> DiG 9.10-P1 <<>> swupdl.adobe.com @10.39.128.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43143 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;swupdl.adobe.com. IN A ;; ANSWER SECTION: swupdl.adobe.com. 10761 IN CNAME swupdl.wip4.adobe.com. swupdl.wip4.adobe.com. 561 IN CNAME swupdl.adobe.com.edgesuite.net. swupdl.adobe.com.edgesuite.net. 21561 IN CNAME a1577.d.akamai.net. a1577.d.akamai.net. 20 IN A 95.101.34.43 a1577.d.akamai.net. 20 IN A 95.101.34.51 - C:\>dig www.acer.it @10.39.128.11 ; <<>> DiG 9.10-P1 <<>> www.acer.it @10.39.128.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49188 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.275 IN CNAME public-akamai.gtm.acer.com. public-akamai.gtm.acer.com. 6 IN CNAME www.acer.com.edgesuite.net. www.acer.com.edgesuite.net. 21576 INCNAME a492.b.akamai.net. a492.b.akamai.net. 20 IN A 2.228.46.113 a492.b.akamai.net. 20 IN A 2.228.46.122 Regards. Stefano Chiesa Da: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] Per conto di IDS Submit Inviato: mercoledì 22 ottobre 2014 12:30 A: bind-us...@isc.org Oggetto: Again question about edns (like swupdl.adobe.com) Good morning, with www.acer.it I have the same problem as swupdl.adobe.com NXDOMAIN with bind 9.10 but NOERROR with Google DNS I have read the Mark Andrews reply on july 4 2014: -- It looks like nameserver vendors are not doing even rudimentry checks like those above. DiG has thos options so that we could perform checks like these. Until Adobe fix their broken servers you can use a server clause to disable sending SIT requests to them. Obviously this does not scale. server { request-sit no; }; Mark -- But this doesnt solve the problem on others domains should be possible enable request-sit no for all domains and not manually add it? Because I think there are lot of domains with this problem L -- \Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it ; <<>> DiG 9.10.1 <<>> @81.174.15.142 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42228 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.300 IN CNAME public-akamai.gtm.acer.com. ;; AUTHORITY SECTION: gtm.acer.com. 60 IN SOA gtm1.acer.com. hostmaster.gtm1.acer.com. 482 10800 3600 604800 60 ;; Query time: 572 msec ;; SERVER: 81.174.15.142#53(81.174.15.142) ;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014 ;; MSG SIZE rcvd: 132 -- -- \Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it ; <<>> DiG 9.10.1 <<>> @8.8.8.8 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSEC
R: Again question about edns (like swupdl.adobe.com)
Hello all. Maybe I didn't understand the problem but in my installation of BIND 9.10 WINDOWS I can't replicate the error: C:\>dig swupdl.adobe.com @10.39.128.11 ; <<>> DiG 9.10-P1 <<>> swupdl.adobe.com @10.39.128.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43143 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;swupdl.adobe.com. IN A ;; ANSWER SECTION: swupdl.adobe.com. 10761 IN CNAME swupdl.wip4.adobe.com. swupdl.wip4.adobe.com. 561 IN CNAME swupdl.adobe.com.edgesuite.net. swupdl.adobe.com.edgesuite.net. 21561 IN CNAME a1577.d.akamai.net. a1577.d.akamai.net. 20 IN A 95.101.34.43 a1577.d.akamai.net. 20 IN A 95.101.34.51 - C:\>dig www.acer.it @10.39.128.11 ; <<>> DiG 9.10-P1 <<>> www.acer.it @10.39.128.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49188 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.275 IN CNAME public-akamai.gtm.acer.com. public-akamai.gtm.acer.com. 6 IN CNAME www.acer.com.edgesuite.net. www.acer.com.edgesuite.net. 21576 INCNAME a492.b.akamai.net. a492.b.akamai.net. 20 IN A 2.228.46.113 a492.b.akamai.net. 20 IN A 2.228.46.122 Regards. Stefano Chiesa Da: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] Per conto di IDS Submit Inviato: mercoledì 22 ottobre 2014 12:30 A: bind-us...@isc.org Oggetto: Again question about edns (like swupdl.adobe.com) Good morning, with www.acer.it I have the same problem as swupdl.adobe.com NXDOMAIN with bind 9.10 but NOERROR with Google DNS I have read the Mark Andrews reply on july 4 2014: -- It looks like nameserver vendors are not doing even rudimentry checks like those above. DiG has thos options so that we could perform checks like these. Until Adobe fix their broken servers you can use a server clause to disable sending SIT requests to them. Obviously this does not scale. server { request-sit no; }; Mark -- But this doesn't solve the problem on others domains ... ... should be possible enable "request-sit no" for all domains and not manually add it? Because I think there are lot of domains with this problem L -- \Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it ; <<>> DiG 9.10.1 <<>> @81.174.15.142 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42228 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.300 IN CNAME public-akamai.gtm.acer.com. ;; AUTHORITY SECTION: gtm.acer.com. 60 IN SOA gtm1.acer.com. hostmaster.gtm1.acer.com. 482 10800 3600 604800 60 ;; Query time: 572 msec ;; SERVER: 81.174.15.142#53(81.174.15.142) ;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014 ;; MSG SIZE rcvd: 132 -- -- \Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it ; <<>> DiG 9.10.1 <<>> @8.8.8.8 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.281 IN CNAME public-akamai.gtm.acer.com. public-akamai.gtm.acer.com. 11 IN CNAME www.acer.com.edgesuite.net. www.acer.com.edgesuite.net. 12306 INCNAME a492.b.akamai.net. a492.b.akamai.net. 19 IN A 88.149.196.137 a492.b.akamai.net. 19 IN
Re: Again question about edns (like swupdl.adobe.com)
For what little it's worth, I've seen this somewhat even on 9.8 (it's not new), though increasingly on 9.9...not saying it's BIND specific, just that I've hit these kind of annoyances with remote servers awhile now. I've tried explaining this on numerous internal email threads, tickets, webex (calls are great), etc...but it is quite frustrating, because so long as reasonably savvy users can "dig @8.8.8.8" and get a response, they don't believe your server isn't broken. From: IDS Submit mailto:sub...@ids.it>> Date: Wednesday, October 22, 2014 at 6:30 AM To: "bind-us...@isc.org<mailto:bind-us...@isc.org>" mailto:bind-us...@isc.org>> Subject: Again question about edns (like swupdl.adobe.com) Good morning, with www.acer.it<http://www.acer.it> I have the same problem as swupdl.adobe.com NXDOMAIN with bind 9.10 but NOERROR with Google DNS I have read the Mark Andrews reply on july 4 2014: -- It looks like nameserver vendors are not doing even rudimentry checks like those above. DiG has thos options so that we could perform checks like these. Until Adobe fix their broken servers you can use a server clause to disable sending SIT requests to them. Obviously this does not scale. server { request-sit no; }; Mark -- But this doesn’t solve the problem on others domains … … should be possible enable “request-sit no” for all domains and not manually add it? Because I think there are lot of domains with this problem :( -- \Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it ; <<>> DiG 9.10.1 <<>> @81.174.15.142 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42228 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.300 IN CNAME public-akamai.gtm.acer.com. ;; AUTHORITY SECTION: gtm.acer.com. 60 IN SOA gtm1.acer.com. hostmaster.gtm1.acer.com. 482 10800 3600 604800 60 ;; Query time: 572 msec ;; SERVER: 81.174.15.142#53(81.174.15.142) ;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014 ;; MSG SIZE rcvd: 132 -- -- \Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it ; <<>> DiG 9.10.1 <<>> @8.8.8.8 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.281 IN CNAME public-akamai.gtm.acer.com. public-akamai.gtm.acer.com. 11 IN CNAME www.acer.com.edgesuite.net. www.acer.com.edgesuite.net. 12306 INCNAME a492.b.akamai.net. a492.b.akamai.net. 19 IN A 88.149.196.137 a492.b.akamai.net. 19 IN A 88.149.196.145 ;; Query time: 60 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Oct 22 12:14:02 ora legale Europa occidentale 2014 ;; MSG SIZE rcvd: 180 -- Thanks in advance and best regards Staff IDS ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Again question about edns (like swupdl.adobe.com)
Good morning, with www.acer.it I have the same problem as swupdl.adobe.com NXDOMAIN with bind 9.10 but NOERROR with Google DNS I have read the Mark Andrews reply on july 4 2014: -- It looks like nameserver vendors are not doing even rudimentry checks like those above. DiG has thos options so that we could perform checks like these. Until Adobe fix their broken servers you can use a server clause to disable sending SIT requests to them. Obviously this does not scale. server { request-sit no; }; Mark -- But this doesn't solve the problem on others domains . . should be possible enable "request-sit no" for all domains and not manually add it? Because I think there are lot of domains with this problem L -- \Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it ; <<>> DiG 9.10.1 <<>> @81.174.15.142 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42228 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.300 IN CNAME public-akamai.gtm.acer.com. ;; AUTHORITY SECTION: gtm.acer.com. 60 IN SOA gtm1.acer.com. hostmaster.gtm1.acer.com. 482 10800 3600 604800 60 ;; Query time: 572 msec ;; SERVER: 81.174.15.142#53(81.174.15.142) ;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014 ;; MSG SIZE rcvd: 132 -- -- \Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it ; <<>> DiG 9.10.1 <<>> @8.8.8.8 www.acer.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.acer.it. IN A ;; ANSWER SECTION: www.acer.it.281 IN CNAME public-akamai.gtm.acer.com. public-akamai.gtm.acer.com. 11 IN CNAME www.acer.com.edgesuite.net. www.acer.com.edgesuite.net. 12306 INCNAME a492.b.akamai.net. a492.b.akamai.net. 19 IN A 88.149.196.137 a492.b.akamai.net. 19 IN A 88.149.196.145 ;; Query time: 60 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Oct 22 12:14:02 ora legale Europa occidentale 2014 ;; MSG SIZE rcvd: 180 -- Thanks in advance and best regards Staff IDS ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users