[dns-operations] 2600::a1 (ns1-auth.sprintlink.net)
Mark Andrews
marka at isc.org
Thu Feb 16 21:48:09 UTC 2017
In message <CAGfsgR3bH1qEZ4g2-SLcBo5xHDpdw+1W5u-Jqxop=LBqAa-CYA at mail.gmail.com>
, Jim Popovitch writes:
> On Thu, Feb 16, 2017 at 3:00 PM, Gonzalo Muoz <gmunoz at nic.cl> wrote:
> > It looks like the sprintlink NS has a problem with DNS cookies. Using
> > dig 9.11.0-P1:
> >
> > $ dig @ns1-auth.sprintlink.net. ups.com mx
> > (...)
> > ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 14540
> > (...)
> >
> > $ dig @ns1-auth.sprintlink.net. ups.com mx +nocookie
> > (...)
> > ;; ANSWER SECTION:
> > ups.com. 300 IN MX 10 email-vip.ups.com.
> > ups.com. 300 IN MX 10 email2-vip.ups.com.
> > (...)
> >
>
> Ahh! That's it.
>
> Interestingly enough bind does seem to always figure out the data it
> needs by continuing to query other NSes.
Named decides that the servers DO NOT SUPPORT EDNS and switches
back to plain DNS. There are servers that return BADVERS to EDNS
without EDNS options so that is the only way to get answers from
those servers.
Named then asks again with plain DNS. This has implications as
these servers also serve signed zones and that break DNSSEC
validation. For the list of .GOV zone that are broken because of
this see: https://ednscomp.isc.org/compliance/gov-full-report.html#eo
Mark
> Thanks!!
>
> -Jim P.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list