Forum: War Ensemble BBS

BIND 9 recursive queries returning SERVFAIL for 'legit' domain

From Ian Springett@ian.springett@giacom.com to bind-users@lists.isc.org on Wed Jun 17 08:45:37 2020

From Newsgroup: comp.protocols.dns.bind

--_004_86816794e5094b65aa7039647a8ba24dgiacomcom_
Content-Type: multipart/alternative;
boundary="_000_86816794e5094b65aa7039647a8ba24dgiacomcom_"

--_000_86816794e5094b65aa7039647a8ba24dgiacomcom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi
I have an issue with BIND 9.14.11 and recursive queries to one particular d= omain. DIG result is SERVFAIL and 'bad cookie' is logged in /var/log/messag=
es & /var/log/named.run

The domain has two DNS servers behind a load balancer which is causing the = bad cookie result. Would this in itself be enough to cause the SERVFAIL and=
if so is there a way to have exceptions for known 'good' domains?
Rgds
Ian

Ian Springett
Hosted Services Engineer
[cid:image001.png@01D3BA19.8A53C1D0]
Giacom World Networks Ltd
Tel: 0845 305 5577
Fax: 01482 330194
Email: ian.springett@giacom.com<mailto:ian.springett@giacom.com>
Website: www.giacom.com

IMPORTANT:
Legally privileged/confidential information may be contained in this messag=
e. If you are not the addressee(s) legally indicated in this message (or re= sponsible for delivery of the message to such person), you may not copy or = deliver this message to anyone. In such case, you should destroy this messa= ge, and notify us immediately. If you or your employer does not consent to = Internet e-mail messages of this kind, please advise us immediately. Opinio= ns, conclusions and other information expressed in this message are not giv=
en or endorsed by my firm or employer unless otherwise indicated by an auth= orised representative independent of this message.
Please note that neither my employer nor I accept any responsibility for vi= ruses and it is your responsibility to scan attachments (if any). This emai=
l and any files transmitted are confidential and intended solely for the us=
e of the individual or entity to which they are addressed. If you have rece= ived this email in error, please notify me by returning the email.

Giacom World Networks Limited, Company No 03813447 Registered in England & = Wales, Registered Office: Bridge Haven One, Saxon Way, Priory Park, Hessle=
, East Yorkshire HU13 9PG.

--_000_86816794e5094b65aa7039647a8ba24dgiacomcom_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:= //www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=

<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style>
</head>
<body lang=3D"EN-GB" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
Hi<o:p></o:p>
I have an issue with BIND 9.14.11 and recursive quer= ies to one particular domain. DIG result is SERVFAIL and ‘bad cookie&= #8217; is logged in /var/log/messages & /var/log/named.run<o:p></o:p></=

<o:p> </o:p>
The domain has two DNS servers behind a load balance=
r which is causing the bad cookie result. Would this in itself be enough to=
cause the SERVFAIL and if so is there a way to have exceptions for known &= #8216;good’ domains?<o:p></o:p>
Rgds<o:p></o:p>
Ian <o:p></o:p>
<o:p> </o:p>
Ian Springett<o:p></o:p>=

Hosted Services Engineer<o:p></o:p></span= >
<img widt= h=3D"145" height=3D"81" style=3D"width:1.5104in;height:.8437in" id=3D"Pictu= re_x0020_1" src=3D"cid:image001.png@01D6448A.F52EA9E0" alt=3D"cid:image001.= png@01D3BA19.8A53C1D0"><o:p></o:p>
Giacom World Networks Ltd<o:p></o:p= >
Tel: 0845 305 5577<o:p></o:p>
Fax: 01482 330194<o:p></o:p>
Email:
<a href=3D"mailto:ian.springett@giacom.com">ian.springett@giacom.com</a><o:p></o:p>
Website:
<a href=3D"www.giacom.com">www.giacom.com</a>
<o:p></o:p>
<o:p> </o:p>
IMPORTANT:<o:p></o:p>
Legally privileged/confidential informatio=
n may be contained in this message. If you are not the addressee(s) legally=
indicated in this message (or responsible
for delivery of the message to such person), you may not copy or deliver t= his message to anyone. In such case, you should destroy this message, and n= otify us immediately. If you or your employer does not consent to Internet = e-mail messages of this kind, please
advise us immediately. Opinions, conclusions and other information express=
ed in this message are not given or endorsed by my firm or employer unless = otherwise indicated by an authorised representative independent of this mes= sage.<o:p></o:p>
Please note that neither my employer nor I=
accept any responsibility for viruses and it is your responsibility to sca=
n attachments (if any). This email and
any files transmitted are confidential and intended solely for the use of = the individual or entity to which they are addressed. If you have received = this email in error, please notify me by returning the email.<o:p></= o:p>
<o:p> </o:p>
Giacom World Networks Limited, Company No = 03813447 Registered in England & Wales, Registered Office:  Bridge=
Haven One, Saxon Way, Priory Park, Hessle, East
Yorkshire  HU13 9PG.<o:p></o:p>
<o:p> </o:p>
</div>
</body>
</html>

--_000_86816794e5094b65aa7039647a8ba24dgiacomcom_--

--_004_86816794e5094b65aa7039647a8ba24dgiacomcom_
Content-Type: image/png; name="image001.png"
Content-Description: image001.png
Content-Disposition: inline; filename="image001.png"; size=4593;
creation-date="Wed, 17 Jun 2020 08:45:37 GMT";
modification-date="Wed, 17 Jun 2020 08:45:37 GMT"
Content-ID: <image001.png@01D6448A.F52EA9E0>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAJEAAABRCAYAAADSMESXAAAAAXNSR0IArs4c6QAAAAlwSFlzAAAO xAAADsQBlSsOGwAAABl0RVh0U29mdHdhcmUATWljcm9zb2Z0IE9mZmljZX/tNXEAABFxSURBVHhe 7ZwL1GZTGcdzqZTkkm5Cco1cIsqlMqhcJkyKonIrzMiyFiJEg0W5N4z7YkwXUctljCgrLDRyZ9yK iCF3g0lyi+r3e+39rv2d77yX73vPmebz7metZ51z9tn72Xs/+3/2fvbz7Ped99BDD31bpqyBXjQw by+Fc9msATWQQZRx0LMGMoh6VmEWkEGUMdCzBjKIelZhFpBBlDHQswYyiHpWYRaQQZQx0LMGMoh6 VmEWkEGUMdCzBjKIelZhFpBBlDHQswYyiHpWYRaQQZQx0LMGMoh6VmEWkEE0wjEwfvz4z9CFVeF3 wk/BUzgj9u/Z2a3KQUSnPkwH1oT/A88VOnMtHXuhm45RfmPyvR3+Lzw3fAdlH7Es71bhsjv8Inwc 6U92I/OtmAddLEO/zoLXL/Tvgzw/PTv7XDmIaPwG8DmFThzF8/6dOoZitvRLKuTbk+eJvPNL+x38 kfB+Ra5f7iTzrfgeXbwn6GK50L+ZXO+C54fjh+tHtxjPr/CxPVenHuoAUdlUuhsdOrqLzhxY0tnX Qpoz26MJiLzvVxpDxyOAnKXXQ7ePomMBNDfXsVy3gV0RdoQvrFNRdYAoba+AcmlaCN4N/kmrztDx L/Lu0+G9wHlHmtd1PuTZgvR/wVPrVMwcLnvZpH3XCCCfuWoCvIGexnHVTpJerbsvdYPoTjrwcdhp dg86dwIdfalFpw4K6c9w/Tu8RjEfZf9JWnGpHCSOehYk0WXvXbD1PU7Zf5gxfK0RoHOR/kpIX5Tr wvCToZ6mXMosEOTZDwH+FHna2h2UUbdLwbbFOmzD860GlPzWrT357pD/CfI/m+Ynjx+ks43XSPOQ bn+ayxj32oyR5kvev47MN1q1YbjpdYPoBhr2EPw12PX52/DpxcbSyc+R9vmQ/huuGoeDQES+U0kf HfIdiEJ+WVDyJjw7la8Lvz959wxlzyb/D0jTnpgGO2gvkf4lrnvBO8AO+MmwdpiA02jdA/4s/KFE 3gu8u5Xn05Bpe5sUBvoAEr4FxyXH98/x7iTyjy/k3zy02V3W+5J35ld/Eynz+5B+HNcxoZ0xq8/q L4LI2egDiZzTuP9peO+H+rO0/iru6waRdsyPYUEkfR/FnIVSXi80/ofh2a9ERTmQZSQQlwgvFkoz OEA8f69QyB2hs4eA2hQWRCrbnY3pL8OTYTcDkRoDgLyDuRxWIu+9pMmW2YB8G9Aflw/LqE/tj9Tg f4xngbsIvE6hzRN5FqSRBICzrfLNv5mMXKo49BDuF4dj/2MZZy65FTnDRkrv2xQZ2qu6QbQonb8d JVwfFOhaLqDOi83kncaf23rpIvI/RJpKL6NoZPuuCUTy/4jnFEDuBl32noCVtRG8UiLQ5UUQudwJ hl8HdiZyBhjDNQWQ8vyCXcIcCGfUCPyx5L+Ldp8SZEUAPcyzwHUmdpDXhp1hG0SZfbhEAGk7Ctrz YZddlzVdGc6qIfv4m7jZDz4e/g68Y3j3B662NZ2J/AijTeSs6Myru+SBWH+V17pBFDt2OI2+NDRc RTRBxH0cDF9Hwztd39v2l8HQ9kl3deMYUKfwSG5/9adEKso+j/zbppUg877k+Sjep+4J7ZSDwrJl XyQBIYjSJVSD9gE3BFwF7WVRJmUFa9rvvcnnTJq2eVzIF9vm8u2y+gDpcek3/2OkC5Im8T7d0t9S fJ/mreK+bhA12kgnLqNjt3GrnbM695u4znPVeahvSLqcNPMMldzV6UOS7i0AqBtZJxQGQP/T8iHN mU9wlNGZJAqeeeClA5iv5d4lSaAq437SncHOp136cSI5+2qTSYJyUos6/BgiiFZG1iLIESCxvxZL jewoJh3Xdktdi2qHljxbQBSadATXC8K9X7DGooMQZwZtp+FQut39yxAFaIMZKkgpNaBnhUEuE+vg uwtyVpEWZ4BvZKA1qAWmy95HYZfag0l3qXLGcTuubRfJmaTVjjXdAQoGbaVaHYdD1F8j++wE0UXU dw/8CXhUsDui/TANRfoVD4dSI11jdCik4V+k1K+izeRXr1+qSA6q7yM1XAj041f07SputZu+Dn8K 9kPZGl6Fd9oqGs+RFiRtLso5gxVJuy2SS2JariR7aVKZ3G7LdpVvtoFIJaEsbR635Sp1Mhy/4uHO QnbylqSna1HHctR1f1e9f7MdRRtJe0jQOID6hzT6zy2RN4q06G/Sa6wB3SDqN6Z3jEx73MKfDbt9 12emXeNGI9KSIe2PJXXEDYev7kHuAL9Rmz6mfSr7UNoUHfqr2Qai0DR3QU7v2gsRQLehHGNiwyV3 Jw78CrCzw0UM3M7IdDfToGB7rUmag9n2y3SgyO/ObtdQfALPT5N+ZSJPP5Q7tkgn8v5V8ulX0kVw Mc+NnSTXS0h/nNvoA5qftKdIcznXr+WAT+J5W9KbHwTPbu91SUTS19MtpcCxTY1NDTLno46Gc7VK qgNE6Vcw4CunA6/TkaPpgEZppLJQSCsZg9LD4GmHXAELTJdLbZPbuWrvuGNySbkbFkRSlOO2t4wc vLXg1WFBcUWQ5wyjreO7SNp5cYBX5t5d1oPkv4Ory4/LlxsI6W9wnHEMA10DLwVr191MGYHvbKPN tFpSx8n0M3VqttRxKHMdVx2Q0r7I1b2gAW7/z0jkVnJbB4jSgSmT73Lm9vZj8J9hbaUipTuOVvKa 6X7BKGo9hBwJ65txxyQAUro5PDgAcRlSxiB3AvJmIW8U71xmBajgLMrTQHZwrTOSIHOmWzpwWr8z 2VjyR9vpkaTN+s60r2LsMJbTr+ORl9Rl4Tv7F6lMxy6lLpuyFAGVulbStvV0XweIXF4cUMk42AAK M8eGJOrfeYRnd0hF0pnmTkTy643krs6ZrJjusqHRvjkDo92hK0HvrqTD0VnImUFyR2X99t0B16M8 iJCnt9t4n7tKZx5Br530PPxX+CbyFA3dKaTrInBGcmcmWK3/DvJOL1ZCmsvc9tSho9HZ0jLzwc5G 7jStIzX0owhBFf1uZTrWYaovyZCOM7Og02a7elBHK0ioHETB+PtTu7aRZwbv5VLivYM+iEh38OSW RJ57eSm3ki1o46zUUYXIEwRdnRgIH4T2Weqs7KaOh8kkd0XUY4BabqcHP5DLA3cld7iZKgfRcBuS y41cDWQQjdyxm2NankE0xwzFyG1IbSAKO49voBoNRo3FGbBnGtIYUlNz5D+IB7e65o2Hr35O/ill 6tWvQrp+Fo1X/UOGA26ELVMaRqCMx0yWgvVym8fdmcay1zMp1wySxjop487MctoY+wSDe1CTyPdd Et0N2R693O76/IHChDbtdyd5KXn0n5XJNATjDtH2eRoh7iT3pcyDxQK0wffm9xSAOtGg1vDW/zSV MmkYpazKYaXVAqKwo4mRdQ1Gt7U6z6bApSAifTvYnY1gmBUUpmHYijbgxfawOxkNWQdkR3gM9Y9u setz5ya789PfIzkYKl9/UBkJMneLko5Sd21lZP1bwTrz3PE58HqyW5HtNzSid7wURKQbxtkpCFCP bgpsaxpuSeX7bmfYvugjc2enR1yf1OHoZTv0YkimUqocRDR0DC0UQG5/t6bRDSCQbggh9W8UOxIH Z1PKNL3NbXob41n+AOBo5Dvj+cUZKnD2GBSoJN/o0BZdENNgt96f7KBRvb8e5/DaLoSg60ByltDh 2Ili+8vicrFsdH94HHepTgLDez9YQaQeb0cvOi5PhL8KT+Z5BdI9jFcZVQ4iWha/WkMBzZmE+07B wxiO8PSjviG/Kk9BdoqDLU9+/TguJ9Jv4VkdNNQOzL0qd23ao//HmcizPDN6FKheFghLsWAWJMcg Nw08l1XRGFvyPU7Zcdy6EiwBrwTf2mObBhSvA0RxWRjuKbotaWGctvXydgKRoI3ANZyiV7hT0DF6 uwd5qytQ7jeRIUueXPSUYa/k8rV7ECJAJ8CdQJR6+p3ljeUpJ3rre21Ts3wdINIzqvteV/7kIbQ0 DuhmgKAZ7Oyi/ETyaFAbThkFewRVRf+/yDja6bCDqKOyV1IvGsSLtbDzWslPbTePobjEm9bSETvc htYBogk0xnM0o5lGL+H6C9g12CXnKhRxdYvGxi/n85Tzi1F52gKt7KOYfyZ5zqGMinIWMyxivKsd RcC2CsAWy7r8dZq1oix/6tONxzrm76YN7rS2oo/q0fzTqaOV0R7lGQIy+OuO0RlR0l4zbFMpVQ4i GnmDuyNaaXTeQ2fx4JkNb3f8NS5B7oAiGYcz/lNGMX88KurRDOvajvqPpR3T22gq2l9tj4Uk5TsZ 1WaNsrrVaWx/p6VX2W7v0yj+LjynJyHSrkZjXH1EuoEb7agLK0VPENZth4dUN431TLVnhAxE6uvQ IDTW41LXivT7+MVF8stvRLxbkEo6C274PqjzeurUaNTPZDS9HRk7s23dnK2ZST6/aKndobADeO8s 2Knu2K7Y/kEB1KTh6ssAqhRnQq+PlnVOWzB8wPHDEqDPk95tmzqorfx1LSAKg+qXqU+olV9oQIvo aDuADWp9UMwA5ZDWNjgbhZDPbbVR/44UdkEdz26TT99Q6YmAFgNu29sOLjI1hj0u0zVRZrgbmq7r KGasDUTDblEuOOI0kEE04oZszmtwBtGcNyYjrkUZRCNuyOa8BmcQzXljMuJaVDmI2GJ6FtmfBOle v5/dQtceUspaxl9auE0/uIvwxQCFU94jENvA/oVL2dntIQ1QOG7iL1SvHVLBPstcOYjQ32GwRy08 GL8fA3Exg3Bsl3r9CvkMmew0VAAF+QKnnd+ly2Y0s23BnQ7SDKI2mqsDRB4omwQILgZAy3Dvb7aM b+lNXghegHf+IHAH7j3bo0PMWJOHxDz3YohhXXgqeTxL46zmv4z555/K1lvrryIMqfj7Kss4+/nr Bz2zs5yFyKtTzui1kWuDlaeQ/gTpX+B+4VC3nmA9uTNJ35D79WFDLv5TiODxeEelxyaQ95ajOkCk g2xVBkWvqgPsISg91v7MRbD4i1BP3y3rAML+ctUfAPrV6wB0SfLHf4Y/zHM87PEQB9dBNbA7Frae PWFjZh7EchZaDla2JxRPhQWkP9Zb2zqQIUjM68+V9oMFqQDXWy6YPUaih9gf+a0Gd4qUkyVTXSDy azeabiDyBFg3vCcIj+ALf5nBdGA3Dl5nf/kpEAxZGI1fkfS7SfOHdv70yCO2DubSsED0cJVHLQTX 9bDg2x425CAA/Rm0M4yz2RrB42wdgs9ZzQCkS6y/knWW8cCW5KE52+0MFkMM3cbWgoj+vNQBIo8c nMEgnRNVymAZE/NLF0wOnAfUjC6fH5YoZwZnrhVhj6NKHlvw8JSnABqxIGQKgI0oM4HrBTw76D4f ydUA5a4hr7OUwHMGmsZ72+QSpr2krHimxroEtQA+CfZ0pEdSBZzk8lnnAbZQzci+1AEiz/a6fKUk gNKzNXvxfASD52xhgPZcAHEfz6O4j0cV9uX+ENgZyJnlFN6vw9Xjrz57/EMQORO5m5sKu6T55wuv 8c7yXMbfyXVJ2JOWT/MsgOORVM8gG2C1bebbHxZgMcDpu/RczoBO5Yc3NVAHiPZGbvF4g4PmQXwH zRnF5WVTbjWsnw3Lmq8mwY2lhLTryKMxrl30XDCKPeVooPYFnh8Ls5gD/iLP/hm4Z2msx/JX8qzh rXHv3wrHCLwuhNi+6dzvwrtXyCsYnQlnwDG6P76kL4rPlGigchA5CxQ1TJq2xYBjF+6gSBsQSSdt wAzGs6Br5gmymxH1kL/ph+JZcDTrERwldTTbl+YPbRwQMS/rS0bPYA1UDqKs5P7TQAZR/4155T3O IKpcpf0nMIOo/8a88h5nEFWu0v4TmEHUf2NeeY8ziCpXaf8JzCDqvzGvvMcZRJWrtP8EZhD135hX 3uMMospV2n8CM4j6b8wr73EGUeUq7T+BGUT9N+aV9ziDqHKV9p/ADKL+G/PKe5xBVLlK+09gBlH/ jXnlPc4gqlyl/Sfwf9PNPfO9zKzqAAAAAElFTkSuQmCC

--_004_86816794e5094b65aa7039647a8ba24dgiacomcom_--
--- Synchronet 3.18a-Linux NewsLink 1.113

From =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?=@ondrej@isc.org to Ian Springett on Wed Jun 17 18:41:23 2020

From Newsgroup: comp.protocols.dns.bind

--Apple-Mail-6A7A76CF-D451-43D8-9BA6-6038B03F1D19
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Ian,

the first thing you should do is to contact the zone owner to fix their name= servers/load-balancer. The zone/domain might be =E2=80=9Clegit=E2=80=9D, but=
its nameservers are violating the DNS protocol. Maybe you won=E2=80=99t hav=
e to maintain a list of exceptions.

If that doesn=E2=80=99t work, this is the configuration option you are looki= ng for: https://bind9.readthedocs.io/en/latest/reference.html?highlight=3DCo= okie#server-statement-grammar

Ondrej
--
Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC

On 17 Jun 2020, at 17:22, Ian Springett <ian.springett@giacom.com> wrote:
=20
=EF=BB=BF
Hi
I have an issue with BIND 9.14.11 and recursive queries to one particular d=

omain. DIG result is SERVFAIL and =E2=80=98bad cookie=E2=80=99 is logged in /= var/log/messages & /var/log/named.run

=20
The domain has two DNS servers behind a load balancer which is causing the=

bad cookie result. Would this in itself be enough to cause the SERVFAIL and=
if so is there a way to have exceptions for known =E2=80=98good=E2=80=99 do= mains?

Rgds
Ian
=20
Ian Springett
Hosted Services Engineer
<image001.png>
Giacom World Networks Ltd
Tel: 0845 305 5577
Fax: 01482 330194
Email: ian.springett@giacom.com
Website: www.giacom.com
=20
IMPORTANT:
Legally privileged/confidential information may be contained in this messa=

ge. If you are not the addressee(s) legally indicated in this message (or re= sponsible for delivery of the message to such person), you may not copy or d= eliver this message to anyone. In such case, you should destroy this message=
, and notify us immediately. If you or your employer does not consent to Int= ernet e-mail messages of this kind, please advise us immediately. Opinions, c= onclusions and other information expressed in this message are not given or e= ndorsed by my firm or employer unless otherwise indicated by an authorised r= epresentative independent of this message.

Please note that neither my employer nor I accept any responsibility for v=

iruses and it is your responsibility to scan attachments (if any). This emai=
l and any files transmitted are confidential and intended solely for the use=
of the individual or entity to which they are addressed. If you have receiv= ed this email in error, please notify me by returning the email.

=20
Giacom World Networks Limited, Company No 03813447 Registered in England &=

Wales, Registered Office: Bridge Haven One, Saxon Way, Priory Park, Hessle=
, East Yorkshire HU13 9PG.

=20
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr=

ibe from this list

=20
ISC funds the development of this software with paid support subscriptions=

. Contact us at https://www.isc.org/contact/ for more information.

=20
=20
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--Apple-Mail-6A7A76CF-D451-43D8-9BA6-6038B03F1D19
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D= utf-8"></head><body dir=3D"auto">Hi Ian,<div> </div><div>the first thing y= ou should do is to contact the zone owner to fix their nameservers/load-bala= ncer. The zone/domain might be =E2=80=9Clegit=E2=80=9D, but its nameservers a= re violating the DNS protocol. Maybe you won=E2=80=99t have to maintain a li= st of exceptions. If that doesn=E2=80=99t work, this is the configura= tion option you are looking for: <a href=3D"https://bind9.readthedocs.i= o/en/latest/reference.html?highlight=3DCookie#server-statement-grammar">http= s://bind9.readthedocs.io/en/latest/reference.html?highlight=3DCookie#server-= statement-grammar</a> Ondrej <div dir=3D"ltr"><div>--</div>Ond=C5=99= ej Sur=C3=BD =E2=80=94 ISC</div><div dir=3D"ltr"> <blockquote type=3D"cit= e">On 17 Jun 2020, at 17:22, Ian Springett <ian.springett@giacom.com> w= rote: </blockquote></div><blockquote type=3D"cite"><div dir=3D"ltr">=EF= =BB=BF

<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii">=

<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style>

<div class=3D"WordSection1">
Hi<o:p></o:p>
I have an issue with BIND 9.14.11 and recursive queri= es to one particular domain. DIG result is SERVFAIL and =E2=80=98bad cookie=E2= =80=99 is logged in /var/log/messages & /var/log/named.run<o:p></o:p></p=

<o:p> </o:p>
The domain has two DNS servers behind a load balancer=
which is causing the bad cookie result. Would this in itself be enough to c= ause the SERVFAIL and if so is there a way to have exceptions for known =E2=80= =98good=E2=80=99 domains?<o:p></o:p>
Rgds<o:p></o:p>
Ian <o:p></o:p>
<o:p> </o:p>
Ian Springett<o:p></o:p></=

Hosted Services Engineer<o:p></o:p><=

<div><i= mage001.png></div><o:p></o:p>
Giacom World Networks Ltd<o:p></o:p><= /span>
Tel: 0845 305 5577<o:p></o:p>
Fax: 01482 330194<o:p></o:p>
Email:
<a href=3D"mailto:ian.springett@giacom.com">ian.springett@giacom.com</a><o:p></= o:p>
Website:
<a href=3D"www.giacom.com">www.giacom.com</a>
<o:p></o:p>
<o:p> </o:p>
IMPORTANT:<o:p></o:p>
Legally privileged/confidential information m= ay be contained in this message. If you are not the addressee(s) legally ind= icated in this message (or responsible
for delivery of the message to such person), you may not copy or deliver th= is message to anyone. In such case, you should destroy this message, and not= ify us immediately. If you or your employer does not consent to Internet e-m= ail messages of this kind, please
advise us immediately. Opinions, conclusions and other information expresse=
d in this message are not given or endorsed by my firm or employer unless ot= herwise indicated by an authorised representative independent of this messag= e.<o:p></o:p>
Please note that neither my employer nor I a= ccept any responsibility for viruses and it is your responsibility to scan a= ttachments (if any). This email and
any files transmitted are confidential and intended solely for the use of t= he individual or entity to which they are addressed. If you have received th= is email in error, please notify me by returning the email.<o:p></o:p= >
<o:p> </o:p>
Giacom World Networks Limited, Company No 03= 813447 Registered in England & Wales, Registered Office:  Bridge Ha= ven One, Saxon Way, Priory Park, Hessle, East
Yorkshire  HU13 9PG.= <o:p></o:p>
<o:p> </o:p>
</div>

_______________________________________________ Please=
visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from=
this list ISC funds the development of thi=
s software with paid support subscriptions. Contact us at https://www.isc.or= g/contact/ for more information. <br= >bind-users mailing list bind-users@lists.isc.org</spa= n> https://lists.isc.org/mailman/listinfo/bind-users </di= v></blockquote></div></body></html>=

--Apple-Mail-6A7A76CF-D451-43D8-9BA6-6038B03F1D19--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Mark Andrews@marka@isc.org to Ian Springett on Thu Jun 18 09:57:34 2020

From Newsgroup: comp.protocols.dns.bind

On 17 Jun 2020, at 18:45, Ian Springett <ian.springett@giacom.com> wrote:

Hi
I have an issue with BIND 9.14.11 and recursive queries to one particular domain. DIG result is SERVFAIL and ‘bad cookie’ is logged in /var/log/messages & /var/log/named.run

The domain has two DNS servers behind a load balancer which is causing the bad cookie result. Would this in itself be enough to cause the SERVFAIL and if so is there a way to have exceptions for known ‘good’ domains?
Rgds
Ian

Load balancers shouldn’t cause “bad cookie” (client cookie component not echoed back in the cookie response) as apposed to the BADCOOKIE rcode which can be caused by misconfigured shared secrets. Named will handle the BADCOOKIE rcode switching to TCP if necessary. “bad cookie” indicates a botched DNS COOKIE implementation in the server, a broken full answer cache mechanism that hasn’t considered that EDNS options modify responses, or someone is attempting to spoof a reply and is including a DNS COOKIE (named assumes this is the case and waits for the legitimate).
Ondrej’s suggestions are the way to go here.

Ian Springett
Hosted Services Engineer
<image001.png>
Giacom World Networks Ltd
Tel: 0845 305 5577
Fax: 01482 330194
Email: ian.springett@giacom.com
Website: www.giacom.com

IMPORTANT:
Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.
Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email.

Giacom World Networks Limited, Company No 03813447 Registered in England & Wales, Registered Office: Bridge Haven One, Saxon Way, Priory Park, Hessle, East Yorkshire HU13 9PG.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
--- Synchronet 3.18a-Linux NewsLink 1.113

Who's Online
Recent Visitors
- Bytor
  Tue Apr 16 19:30:43 2024
  from Ri, Ri via Telnet
- Microbot
  Wed Apr 17 03:53:00 2024
  from Moore, Ok via Telnet
- Microbot
  Thu Apr 18 02:47:50 2024
  from Moore, Ok via Telnet
- Microbot
  Fri Apr 19 01:46:51 2024
  from Moore, Ok via Telnet

System Info

Sysop:	DaiTengu
Location:	Appleton, WI
Users:	910
Nodes:	10 (0 / 10)
Uptime:	241:14:42
Calls:	12,117
Calls today:	1
Files:	186,505
Messages:	2,227,340

BIND 9 recursive queries returning SERVFAIL for 'legit' domain

Who's Online

Recent Visitors

System Info