On 09.04.18 09:59, Benoit Panizzon wrote:
> Hi List
>
> [...]
> Our two main caching DNS Servers run bind 9.11.2-P1, after flushing
> the cache and even restarting still see an issue with this domain:
> [...]
> Doing the same test via a 9.10.3-P4-Debian with Validation enabled,
> works fine.
>

The most likely reason:
Bind 9.11 enables EDNS cookies by default, but the authoritative servers
for this domain do not handle EDNS correctly:

https://ednscomp.isc.org/ednscomp/b01039e111

quick fix:
server NSNAME { send-cookie no; };

Btw: Currently, many resolvers implement workarounds for such broken
nameservers, but several open-source resolver implementations agreed on
removing
these workarounds next year, so the affected nameservers will have to be
fixed.

https://blog.powerdns.com/2018/03/22/removing-edns-workarounds/



_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Antwort per Email an