[dns-operations] Problems with whois.verisign-grs.com
Tony Finch
dot at dotat.at
Fri Jun 16 16:16:10 UTC 2017
The name servers for whois.verisign-grs.com have some annoying misbehaviour.
They do not permit queries over TCP, and they sometimes respond
with truncated queries over UDP, specifically, when you query for
whois.verisign-grs.com AAAA with an EDNS cookie and an EDNS buffer
size of 526 bytes or less.
If you query with an EDNS buffer size betwee 527 and 673 inclusive, you
get a curious response listing 17 addresses.
If you query with an EDNS buffer size of 674 or more, you get a more
normal response with 1 answer and a filled in authority section. This
response is less than 512 bytes.
The same thing happens when querying over IPv6 and IPv4.
Without cookies the servers return a small response with just one record
in the answer section.
This misbehaviour causes problems with recent versions of BIND which
support EDNS cookies and start off with an EDNS buffer size of 512.
; <<>> DiG 9.12.0-dev <<>> +bufsize=526 +qr +ignore +norec +noad whois.verisign-grs.com AAAA @whoisns1.nstld.net.
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27842
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 526
; COOKIE: aaaed3db1772f7b1
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; QUERY SIZE: 63
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27842
;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; Query time: 112 msec
;; SERVER: 2001:503:ff39:10ff::206#53(2001:503:ff39:10ff::206)
;; WHEN: Fri Jun 16 16:55:06 BST 2017
;; MSG SIZE rcvd: 51
; <<>> DiG 9.12.0-dev <<>> +bufsize=673 +qr +ignore +norec +noad whois.verisign-grs.com AAAA @whoisns1.nstld.net.
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24404
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 673
; COOKIE: b894234a4ab01aae
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; QUERY SIZE: 63
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24404
;; flags: qr aa tc; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; ANSWER SECTION:
whois.verisign-grs.com. 1 IN AAAA 2001:500:ed30:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:501:8a29:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:502:8c25:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:502:be98:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:3227:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:4872:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:5419:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:5ae2:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:6810:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:7bbf:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:91ef:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:bfb0:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:e8ef:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:f189:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:f3da:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:503:ff39:1000::74
whois.verisign-grs.com. 1 IN AAAA 2001:500:30ff:1000::74
;; Query time: 112 msec
;; SERVER: 2001:503:ff39:10ff::206#53(2001:503:ff39:10ff::206)
;; WHEN: Fri Jun 16 16:57:11 BST 2017
;; MSG SIZE rcvd: 527
; <<>> DiG 9.12.0-dev <<>> +bufsize=674 +qr +ignore +norec +noad whois.verisign-grs.com AAAA @whoisns1.nstld.net.
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8511
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 674
; COOKIE: 0883b0701c0e3520
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; QUERY SIZE: 63
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8511
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; ANSWER SECTION:
whois.verisign-grs.com. 30 IN AAAA 2001:503:f189:1000::74
;; AUTHORITY SECTION:
whois.verisign-grs.com. 500 IN NS whoisns4.nstld.net.
whois.verisign-grs.com. 500 IN NS whoisns2.nstld.net.
whois.verisign-grs.com. 500 IN NS whoisns5.nstld.net.
whois.verisign-grs.com. 500 IN NS whoisns3.nstld.net.
whois.verisign-grs.com. 500 IN NS whoisns6.nstld.net.
whois.verisign-grs.com. 500 IN NS whoisns1.nstld.net.
;; Query time: 113 msec
;; SERVER: 2001:503:ff39:10ff::206#53(2001:503:ff39:10ff::206)
;; WHEN: Fri Jun 16 16:59:03 BST 2017
;; MSG SIZE rcvd: 226
; <<>> DiG 9.12.0-dev <<>> +nocookie +bufsize=512 +qr +ignore +norec +noad whois.verisign-grs.com AAAA @whoisns1.nstld.net.
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63023
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; QUERY SIZE: 51
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63023
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;whois.verisign-grs.com. IN AAAA
;; ANSWER SECTION:
whois.verisign-grs.com. 30 IN AAAA 2001:500:30ff:1000::74
;; Query time: 112 msec
;; SERVER: 2001:503:ff39:10ff::206#53(2001:503:ff39:10ff::206)
;; WHEN: Fri Jun 16 17:04:21 BST 2017
;; MSG SIZE rcvd: 79
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fisher, German Bight: Northwest 5 to 7, occasionally gale 8 at first in
Fisher, backing west 4 or 5 later. Moderate, occasionally rough in east
Fisher. Fair. Good.
More information about the dns-operations
mailing list