-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andreas,
The servers respond with different TTLs which is why unbound classifies the answers as different, which is why the fallback for capsforid does not work in this case. Best regards, Wouter On 10/10/14 15:44, A. Schulze wrote: > > A. Schulze: > >> Last week I had an issue with a domain I could analyse in >> detail. The external customer run a Debian Squeeze + bind 9.7.3 >> for his domain and rDNS >> >> The rDNS was broken because we sent queries for *.In.ADr.ArpA. >> >> The Debian servers was "protected" by a Cisco firewall. This >> device had a "content inspection" for DNS enabled which broke >> his bind9 answers. >> >> Unfortunately the latest 0x20 patches for unbound-1.4.22 did not >> catch that. >> >> @Wouter, if you'r interested I could setup a test environment... > > today we hit a powerdns server responding in a unexpected manner: > > $ dig @ns1.ipandmore.de MAIL1.IPANDMORE.DE +norecurse +noall > +answer > > ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.ipandmore.de > MAIL1.IPANDMORE.DE +norecurse +noall +answer ; (1 server found) ;; > global options: +cmd MAIL1.IPANDMORE.DE. 14400 IN A > 213.252.2.157 > > -> OK > > $ dig @ns1.ipandmore.de 157.2.252.213.in-addr.arpa. PTR +norecurse > +noall +answer > > ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.ipandmore.de > 157.2.252.213.in-addr.arpa. PTR +norecurse +noall +answer ; (1 > server found) ;; global options: +cmd 157.2.252.213.in-addr.arpa. > 900 IN PTR mail1.ipandmore.de. > > -> OK > > BUT: $ dig @ns1.ipandmore.de 157.2.252.213.IN-ADDR.ARPA. PTR > +norecurse +noall +answer > > ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.ipandmore.de > 157.2.252.213.IN-ADDR.ARPA. PTR +norecurse +noall +answer ; (1 > server found) ;; global options: +cmd 157.2.252.213.in-addr.arpa. > 900 IN PTR mail1.ipandmore.de. > > -> OK?, notice the lowercase "in-addr.arpa." in the answer. > > We had a similar issue in June: > http://unbound.net/pipermail/unbound-users/2014-June/003377.html > > Wouter wrote a patch I'm using here to handle the situation where > DNS servers don't answer to uppercase queries at all. But that > mechanism fail here because there is no timeout. > > I run 1.4.22 with the attached patch. Ideas / Updates? > > Andreas > > > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUN+esAAoJEJ9vHC1+BF+NPfoP/jbtwy/efK0ni6F/QZsmsux+ Iiwn8HujZ99t7AN31XMbeqVmx3teuojlX9W5beKfKP0byaXT+ETozgB1YZ0Cd3rY rgZmewteguaj2rqibPQisc3xot6e+4XvSsn4tAD686nadCHlQS6LZgqkffn60a9t m1IJ6VyKWXMhXIo33ctmJmwVDfF1H3zoAJ2aa9RUCHocaqGxX94h35Vto7VadRfF uzHaO9tpxuAVlpJyv4TSzSp+a90BsxTd+YvYgGlLdhrt4gvDWCvzF+UAsYNhxaHT aitXjQzRSS+YdrMlrO/WTCD/T383bex5a3jXkb41oI9VoAajAqFnsi7/X8tCgLW5 cua68IJacNQxLabOUHPFAAlk9UxHKTbn7UmmWvjWjhM1VZ6TQoL1DluRDjtYvj0F chBjJ5N0OodyxOAgmXr/sGjnIsmSr+3ZQQ4435f+0deLgtGV1wzoMnIFswyldRJY N1b4vUqPt/I1wiQfTSG1Vda1K9rSFnoUjGFivI9a+l5/unO+MjACY3ryl+AsbeQ+ AhTrRZgONHx4BbUISY6NYJl62Yp7m0FEK9Db7yTd31x8JEPP0Xivx0NPPzDVlrZG IqHfhNSR5xNHN9l2sXL271r3UViun2NqAwQjI8WnES0O6yRimf+rh0qTHeDbGki8 mNNtHGaXL5RXICRWsGk/ =aunW -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
